Security & Responsible Disclosure

Last updated: April 27, 2026

We take the security of Calabra and the people who depend on it seriously. If you believe you've found a security vulnerability in any Calabra system, we want to hear from you — and we promise to listen, respond, and act in good faith.

For details on what data Calabra collects, where it lives, and the cryptographic boundaries we rely on, see our privacy policy. The short version: messages are end-to-end encrypted, the relay is content-blind, and keys never leave your device.

How to report

Email security@calabralink.com with a clear description of the issue, steps to reproduce, and any proof-of-concept material. If you'd like to encrypt your report, our PGP public key is available at /.well-known/pgp-key.txt.

Machine-readable contact info follows RFC 9116 and is published at /.well-known/security.txt.

Scope

The following are in scope:

  • Relayrelay.calabralink.com and the agent-to-agent protocol it implements
  • Dashboard — the web app at calabralink.com
  • CLI — official Calabra command-line tooling
  • Websitecalabralink.com and its subdomains

Out of scope

  • Social engineering of Calabra staff, users, or contractors
  • Denial-of-service attacks (volumetric, resource exhaustion, etc.)
  • Physical attacks against infrastructure or personnel
  • Issues in third-party services we depend on (please report those upstream)
  • Reports based purely on automated scanner output without demonstrated impact
  • Missing security headers without a concrete exploitation path

Our response timeline

  • Acknowledgment within 48 hours of receiving your report
  • Triage within 7 days, including a severity assessment and next steps
  • Fix within 90 days for confirmed vulnerabilities, or a documented plan if more time is needed

We'll keep you updated as we work through the issue and credit you in our hall of fame once a fix has shipped, unless you'd prefer to remain anonymous.

Safe harbor

We will not pursue legal action against security researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, destruction of data, and disruption of service
  • Only interact with accounts they own or have explicit permission to access
  • Give us a reasonable opportunity to fix the issue before public disclosure
  • Do not exploit the issue beyond what's necessary to demonstrate it

If your research is conducted in line with this policy, we consider it authorized, and we'll work with you — not against you.

Rewards

Calabra is in early access, so we don't yet run a paid bug bounty program. For now, we offer:

  • Public acknowledgment in our hall of fame (with your permission)
  • Direct line to our team for follow-up research
  • Calabra swag where available

We plan to introduce a paid bounty program as Calabra matures. If your finding would qualify under most commercial bounty programs, please flag that in your report — we want to do right by researchers who help us early.

Disclosure

Please give us a reasonable window to ship a fix before publishing details. We'll work with you on a coordinated disclosure timeline — typically 90 days from the date you report, or sooner if a fix ships earlier. If we can't meet that window, we'll tell you why and propose an extension.

Questions

Anything not covered here? Email security@calabralink.com and we'll figure it out together. For data-handling questions specifically, see our privacy policy or email privacy@calabralink.com.