Security Policy
1. Our Security Commitment
Security is foundational to Cuttlefish, not bolted on. We build with the assumption that an AI desktop application operates in a high-trust environment — your machine, your keys, your data — and we design every layer to protect that trust.
We welcome security researchers who help us find and fix vulnerabilities responsibly. This policy explains how we protect your data, how to report an issue, and what you can expect from us in return.
2. Five-Layer Defense Model
Cuttlefish protects you through five complementary layers. No single layer is relied upon in isolation, so a weakness in one is caught by the others.
3. API Key Security
Your API keys are the most sensitive data Cuttlefish handles. Here is exactly how we protect them:
- Storage: Exclusively in your operating system's secure keychain — never in files, browser storage, or application databases.
- Transmission: Keys are sent directly from your machine to the AI provider's own endpoint over an encrypted connection. They are never routed through Moguls Inc servers.
- Memory: A key is retrieved from the keychain only for the duration of the request that needs it, and is not kept around afterward.
- Logging: API keys are never written to log files, crash reports, or usage diagnostics.
- Backend: Moguls Inc backend services never see, store, or have access to your API keys.
4. Auto-Update and Signature Verification
Cuttlefish includes a built-in updater so you stay current with security fixes. The update process is protected in several ways:
- Signed updates only: Every update package is cryptographically signed. Cuttlefish verifies that signature before applying anything, and refuses any update that is unsigned or has been tampered with.
- Encrypted delivery: Update details and files are fetched only over encrypted connections from our official release source.
- You stay in control: You can review what an update contains before applying it from the Settings screen.
- Safe recovery: If an update does not apply cleanly, the version you were already running is kept so you are never left without a working app.
5. Responsible Disclosure
If you discover a security vulnerability in Cuttlefish, we ask that you report it responsibly. Here is our process:
Report vulnerabilities to: [email protected]
Disclosure Timeline
We acknowledge receipt of your report and assign a tracking identifier.
We complete our initial assessment, confirm the vulnerability, and share our severity classification and an estimated remediation timeline.
We develop, test, and deploy a fix, and coordinate with you on public-disclosure timing. If a vulnerability is being actively exploited, we may move faster.
What to Include in Your Report
- A description of the vulnerability and its potential impact
- Steps to reproduce it (a proof of concept if possible)
- The affected component (desktop app, backend, or website)
- Your assessment of severity
- Your preferred contact method for follow-up
What We Ask
- Do not publicly disclose the vulnerability before the agreed-upon date.
- Do not access, modify, or delete data belonging to other users.
- Do not degrade the availability of the service.
- Act in good faith to avoid privacy violations and disruption.
6. Scope
This security policy and our responsible-disclosure process cover:
- Cuttlefish desktop application — the desktop client for Windows, macOS, and Linux.
- Cuttlefish backend — the backend services the desktop application connects to.
- Cuttlefish website — getcuttlefish.app and app.getcuttlefish.app.
7. Exclusions
The following are out of scope for our responsible-disclosure program:
- Vulnerabilities in third-party AI providers (OpenAI, Anthropic, and others) — please report these to the provider directly.
- Social-engineering attacks against Moguls Inc employees.
- Denial-of-service attacks.
- Physical attacks against infrastructure.
- Vulnerabilities in third-party dependencies that have already been publicly disclosed and have an upstream patch available (though we appreciate being told if we are running a vulnerable version).
- Issues that require physical access to a user's machine.
8. Recognition
We value the security community's contributions. With your permission, we credit you by name or handle in our security advisories when your report leads to a fix.
We do not run a paid bug-bounty program. We ask you to report responsibly because it protects the people who use Cuttlefish, and we recognize good-faith research in kind.
9. Contact
For security vulnerabilities and concerns:
Security Team
Email: [email protected]
For general legal inquiries:
Moguls Inc
Email: [email protected]
Support: [email protected]
Web: https://getcuttlefish.app
For details on how we handle your data, see our Privacy Policy and Terms of Service.