Cuttlefish | Security Policy

1. Our Security Commitment

Security is foundational to Cuttlefish, not bolted on. We build with the assumption that AI-powered desktop applications operate in a high-trust environment — your machine, your keys, your data — and we design every layer to protect that trust.

We welcome security researchers who help us find and fix vulnerabilities responsibly. This policy outlines our defense architecture, our disclosure process, and how to report issues.

2. 5-Layer Defense Model

Cuttlefish implements security through five complementary layers. No single layer is relied upon in isolation.

1 OS-Level Credential Isolation

API keys are stored in your operating system's native keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service). Keys never exist in plaintext in configuration files, environment variables, or application memory beyond the immediate API call. The application requests keys from the OS keychain only when needed and does not cache them.

2 Palisade Governance Engine

Every AI operation passes through the Palisade policy engine before execution. OPA (Open Policy Agent) evaluates requests against active policies covering egress control, autonomy boundaries, rate limiting, and tool permissions. Policy violations block execution and generate signed audit receipts.

3 Cryptographic Audit Trail

Governance receipts are signed with Ed25519 keys, stored in WORM (Write-Once-Read-Many) immutable storage with 7-year retention. The audit-provenance-service independently verifies signatures and persists receipts. This creates a tamper-evident record of every policy decision.

4 Transport and Infrastructure Security

All backend communication uses TLS 1.2+. The backend runs on Azure Kubernetes Service with Istio service mesh for mTLS between services. Container images use distroless base images (no shell, no package manager) to minimize attack surface. RBAC controls restrict inter-service communication.

5 Sandboxed Execution

Code execution and tool operations run in isolated sandboxes with restricted permissions. The execution runtime service enforces resource limits, filesystem access controls, and network egress policies. Agent operations are constrained by governance policies before they can interact with the host system. REVIEW

3. API Key Security

Your API keys are the most sensitive data Cuttlefish handles. Here is exactly how we protect them:

Storage: Exclusively in the OS-native keychain. Never in files, localStorage, or application databases.
Transmission: Keys are sent directly from your machine to the AI provider's API endpoint over TLS. They are never routed through Moguls Inc servers.
Memory: Keys are retrieved from the keychain only for the duration of an API call and are not persisted in application memory. REVIEW
Logging: API keys are never written to log files, crash reports, or telemetry.
Backend: Moguls Inc backend services never see, store, or have access to your API keys.

4. Auto-Update and Signature Verification

Cuttlefish includes an auto-update mechanism powered by the Tauri updater framework. Security measures for updates include:

Signature verification: Every update package is cryptographically signed. The application verifies the signature before applying any update. Unsigned or tampered updates are rejected. REVIEW
HTTPS transport: Update manifests and binaries are fetched exclusively over HTTPS from GitHub Releases.
User control: Users can inspect update details before applying them through the Settings interface.
Rollback: If an update fails to apply, the previous version is preserved. REVIEW

5. Responsible Disclosure

If you discover a security vulnerability in Cuttlefish, we ask that you report it responsibly. Here is our process:

Report vulnerabilities to: security@getcuttlefish.app

Disclosure Timeline

Within 48 hours

We acknowledge receipt of your report and assign a tracking identifier.

Within 7 days

We complete our initial assessment, confirm the vulnerability, and provide you with our severity classification and estimated remediation timeline.

Within 90 days

We develop, test, and deploy a fix. We coordinate with you on public disclosure timing. If the vulnerability is actively exploited, we may accelerate this timeline.

What to Include in Your Report

Description of the vulnerability and its potential impact
Steps to reproduce (proof of concept if possible)
Affected component (desktop app, backend API, website)
Your assessment of severity
Your preferred contact method for follow-up

What We Ask

Do not publicly disclose the vulnerability before the agreed-upon date
Do not access, modify, or delete data belonging to other users
Do not degrade the availability of the Service
Act in good faith to avoid privacy violations and disruption

6. Scope

This security policy and our responsible disclosure process cover:

Cuttlefish Desktop Application — The Tauri-based desktop client for Windows, macOS, and Linux
Cuttlefish Backend API — The AGORA Fabric backend services accessible through the desktop application
Cuttlefish Website — getcuttlefish.app and app.getcuttlefish.app

7. Exclusions

The following are out of scope for our responsible disclosure program:

Vulnerabilities in third-party AI providers (OpenAI, Anthropic, etc.) — report these to the respective providers
Social engineering attacks against Moguls Inc employees
Denial of service attacks
Physical attacks against infrastructure
Vulnerabilities in third-party dependencies that have already been publicly disclosed and have upstream patches available (though we appreciate being notified if we are running a vulnerable version)
Issues that require physical access to a user's machine REVIEW

8. Recognition

We believe in recognizing the security community's contributions. With your permission, we will:

Credit you by name (or handle) in our security advisories
Add you to our Security Hall of Fame (if we establish one) REVIEW

We do not currently offer monetary bounties, but we may introduce a formal bug bounty program in the future. REVIEW

9. Contact

For security vulnerabilities and concerns:

Security Team
Email: security@getcuttlefish.app

For general legal inquiries:

Moguls Inc
Email: legal@getcuttlefish.app
Web: https://getcuttlefish.app

Security Policy

Table of Contents