Security disclosure policy

How to report

Email [email protected]. Plain text or PGP-encrypted are both fine. There is no web form, no bug-tracker login, and no triage queue ticket to file. The mailbox is read by a human.

If you can include in the report:

• A short summary of the issue and its impact.
• The Tacita version (Settings → About) and the platform (iOS / Android / desktop).
• Steps to reproduce, or a minimal proof of concept.
• Any artefacts (crash dump, network capture, attached file) you can share.

Please do not include your own real-world chat content or anyone else's data in the report — synthetic test vectors are enough and they let us iterate without holding personal data.

What we commit to

• Acknowledgement within 72 hours of the email hitting the mailbox. If you haven't heard back by then, assume mail delivery broke and resend.
• A first technical reply within 7 days with our assessment of severity and a rough plan.
• Coordinated disclosure with a 90-day default embargo, measured from the acknowledgement. We can extend the embargo by mutual agreement if a fix is in flight; we will not extend it unilaterally past 120 days for a critical issue.
• Public credit for the reporter, with the name and link of their choice, on the hall of fame page, once the patched release ships. Anonymous credit is fine; no credit is also fine.
• No legal action against you for good-faith research that stays within the scope below. We will not pursue a CFAA / CMA / DMCA / equivalent claim against a reporter who follows this policy.

Scope

In scope:

• The Tacita mobile app (iOS, Android) on all shipping versions.
• The Tacita desktop companion (Windows, macOS, Linux) on all shipping versions.
• The Bridge transport: the LAN-direct mode and the QR-pairing payload.
• The cryptographic stack listed at /security.
• This website (gettacita.com) and the .well-known/security.txt infrastructure.
• The release-artifact manifest and SBOM signing pipeline.

Out of scope:

• Vulnerabilities in third-party services that Tacita talks to but does not control (Hugging Face hosting, Google AdMob, RevenueCat, the platform stores). Please report those directly to the vendor.
• Pure UI / UX issues that have no security impact (those go to [email protected]).
• "Social engineering" of the developer mailbox or of the developer's personal accounts.
• Denial-of-service issues against gettacita.com below the level of "publicly known protocol weakness" — the site is a static CDN, this is the wrong target.
• Findings that require root / jailbreak / a compromised OS to demonstrate. Tacita's threat model explicitly accepts these residuals (see /security).

What we mean by "good faith"

• Test only against accounts and data you own, or against the test vectors and sample inputs shipped in the repo.
• Do not exfiltrate other users' data even when you can. If a bug lets you read someone else's vault, prove it on synthetic data.
• Do not degrade service for other users.
• Give us a reasonable chance to fix the issue before going public.

Bug bounty

Tacita does not pay a cash bounty pre-launch. The install base is zero today and a bounty pool with nothing in it is worse than no bounty at all. Once the install base is non-zero and Pro revenue covers a reasonable pool, we will open one and announce it here.

In the meantime, every reporter who follows this policy gets a permanent entry on the hall of fame page, with the severity of the finding and a link of their choice. Reporters who prefer no credit get none — the credit is opt-in.

Machine-readable contact

The disclosure metadata is also published per RFC 9116 at /.well-known/security.txt.