Skip to main content

Security

Last updated: May 2026

Reporting a Vulnerability

We take the security of Cloud Gatherer Labs products and our website seriously. If you believe you have found a security vulnerability in any of our systems or applications, we encourage you to report it to us privately.

Please send your report to security@cloudgatherer.net. Include a clear description of the issue, the affected URL or component, reproduction steps, and any supporting evidence (logs, requests, screenshots). Reports written in English are preferred.

We will acknowledge receipt within five business days and will keep you informed of remediation progress where appropriate. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it.

Scope

The following are considered in scope for responsible disclosure:

  • The production website at cloudgatherer.net and its subdomains operated by us
  • Our published desktop applications (including AppleStand) and the license-key delivery flow

The following are out of scope and should not be tested:

  • Denial-of-service attacks, traffic flooding, or any testing that degrades service for other users
  • Physical attacks, social engineering of our staff or customers, and phishing
  • Third-party services we depend on (Paddle, Resend, Cloudflare, Apple) — please report issues in those systems directly to the relevant vendor
  • Automated mass scanning of arbitrary endpoints without a credible, reproducible finding attached
  • Vulnerability classes already publicly disclosed against an unpatched dependency without demonstrating impact on our specific deployment

Researcher Guidelines

When conducting research on systems in scope, please:

  • Limit testing to the minimum necessary to demonstrate the issue
  • Do not access, modify, or exfiltrate data belonging to other users, customers, or the company
  • Do not run exploits repeatedly or leave persistence; one clean proof of concept is sufficient
  • Report each issue once, under your real identity, from a single contact address
  • Allow us reasonable time to remediate before any public disclosure

We will not pursue legal action against researchers who act in good faith and in accordance with this policy.

Rewards

Cloud Gatherer Labs is a small independent company and does not currently operate a paid bug bounty program. We do not offer monetary rewards, gift cards, swag, or other compensation for vulnerability reports.

For verifiable, original, in-scope reports that result in a fix, we are happy to provide a non-monetary acknowledgment on this page under the researcher's preferred name, at our sole discretion. Acknowledgment is not provided for reports generated by automated scanners against unsolicited targets, for duplicate reports, or for reports submitted under multiple identities.

Acknowledgments

We thank the following researchers for responsibly disclosed reports that helped improve the security of our products and services:

  • Pritam— Next.js / CVE-2025-55182 (April 2026)

Contact

For all security-related correspondence:

security@cloudgatherer.net