Security
Last updated: April 20, 2026
We take security seriously. If you discover a vulnerability in Canopy, please report it responsibly so we can fix it before it affects users.
Responsible Disclosure
Please report security vulnerabilities by email to security@gulfshieldtech.com. Do not open a public GitHub issue for security-sensitive findings.
We follow coordinated disclosure. We ask that you give us reasonable time to investigate and patch before publishing details publicly. We will acknowledge your report within one business day and keep you updated throughout the process.
A PGP public key for encrypted reports is planned and will appear here once available. In the meantime, standard email is acceptable — we monitor this address continuously.
Supported Versions
We maintain security patches for the following versions. Using an unsupported version means you will not receive security fixes.
| Version | Support status | Notes |
|---|---|---|
| v1.7.x (pre-launch) | Active development | Pre-release iteration; no public binaries yet shipped |
| v2.0.0 (planned) | First public release | Full support begins at v2.0.0 launch; all patches will target v2.x |
| v1.6.x and earlier | Internal development only | Pre-launch internal milestones; never shipped to external users |
Canopy is in pre-release development. Once v2.0.0 ships as the first public release, this table will reflect a normal supported-versions window (current minor + previous minor for 90 days).
Scope
The following are in scope for vulnerability reports:
- License webhook Worker —
heartbeat.gulfshieldtech.com. Authentication bypass, license spoofing, seat limit circumvention. - Admin portal Worker —
admin.gulfshieldtech.com. Auth bypass, unauthorized binding revocation, data exposure. - CLI binary —
canopy. Local privilege escalation, license validation bypass, unsafe file handling. - Indexing and MCP server —
canopy serve. Path traversal in tool handlers, command injection via indexed content, unsafe deserialization. - License key format — Ed25519 signature forgery, payload tampering.
Out of Scope
- Vulnerabilities requiring physical access to the user's machine.
- Reports that amount to "the binary reads files from disk" — this is expected behavior.
- Findings against third-party services (Stripe, Cloudflare, Resend) — report those to the respective vendor.
- Internal infrastructure not reachable from the public internet.
- Social engineering attacks targeting Gulf Shield Technologies staff.
- Denial-of-service attacks that require the attacker to already control the local machine.
Response SLA
| Severity | Acknowledgment | Patch target |
|---|---|---|
| Critical — remote code execution, auth bypass, data breach | 24 hours | 7 days |
| High — privilege escalation, license bypass | 48 hours | 14 days |
| Medium — information disclosure, path traversal (local) | 72 hours | 30 days |
| Low / Informational | 72 hours | Next minor release |
These are targets, not guarantees. Canopy is maintained by a solo founder; if a critical finding arrives during an unusual week, we will communicate any timeline slippage proactively.
Hall of Fame
We'll list contributors here once we receive responsibly disclosed reports. If you report a valid security issue, we'll acknowledge you by name (or pseudonym, your choice) in this section.
This policy is also available in machine-readable form at
/.well-known/security.txt
per RFC 9116.