CatInCloud Labs
Security

Responsible Disclosure

How CatInCloud Labs approaches security: private VPC networking, KMS encryption, least-privilege IAM, and observability for calm, reliable pipelines.

Last updated: December 2025

Overview

CatInCloud Labs (operated by DaveHasACat LLC) takes a security-first approach: private networking, least-privilege IAM, encryption, and observability. If you believe you've found a vulnerability, I want to hear from you. Please report it privately so I can investigate and fix it quickly.

How to report

Email: dave@catincloudlabs.com
Standard: /.well-known/security.txt

Report template (copy & fill) 
Title: [Short summary of the issue]
Target/URL: [Full URL]
Impact: [What could an attacker do?]
Steps to Reproduce:
1) ...
2) ...
3) ...
Observed Result: [...]
Expected Result: [...]
Environment: [Browser/OS], Timestamp (UTC): [...]
Attachments/PoC: [Links or inline]
Researcher Contact: [Name/Email or handle]

Scope

catincloudlabs.com and public assets hosted under this domain (including static content on Cloudflare Pages). Client environments and third-party platforms are out of scope unless explicitly authorized in writing.

Out of scope

  • Denial-of-service (DoS), load, or stress testing
  • Automated scanning that degrades service
  • Clickjacking on pages without sensitive actions
  • Missing security headers that do not directly lead to an exploit
  • Rate-limit testing, SPF/DMARC best-practice commentary without exploit
  • Physical, social engineering, or third-party vendor issues

Safe harbor

If you follow this policy and act in good faith, we won't initiate legal action against you for security research. Don't access, modify, or exfiltrate data that isn't yours. If you encounter non-public data, stop, don't save it, and report the minimal details needed to reproduce the issue.

Handling & timelines

  • Acknowledgment: We aim to respond within 72 hours.
  • Remediation: We prioritize based on severity and impact; we'll share status updates where feasible.
  • Disclosure: Please give us reasonable time to fix issues before any public disclosure.

Recognition

While we don't operate a bounty program, we appreciate the security community and may add an acknowledgment here for impactful, high-quality reports. If you'd like recognition, please let us know when you submit.

Data & privacy

Our Privacy Policy explains how we handle personal data. We avoid unnecessary collection and do not use advertising trackers. Server logs (e.g., IP address, user agent) may be retained for security and operations.

Questions

Reach us at dave@catincloudlabs.com. For machine-readable details, see /.well-known/security.txt.