If you discover a security vulnerability in Cloaked, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Email: security@cloakedagent.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity, typically 30-90 days
We will keep you informed throughout the process.
- Solana program (
programs/cloaked/) - Backend relayer (
backend/) - SDK (
sdk/) - Frontend application (
app/) - ZK circuits (
circuits/)
- Third-party dependencies (report to their maintainers)
- Social engineering attacks
- DoS attacks on public infrastructure
- Issues already known and being addressed
| Secret | Storage | Notes |
|---|---|---|
| Agent Key | Client-side only | Never sent to backend, never logged |
| Master Secret | Client-side only | Derives agent keys, never leaves browser |
| Relayer Private Key | Server env var | Signs transactions, minimal balance |
- Log private keys or secrets (even partially)
- Store user secrets on backend
- Include secrets in error messages
- Commit
.envfiles to git
- User identity is protected via zero-knowledge proofs
- On-chain: only commitments visible, not secrets
- Agent ownership proven without revealing master secret
- Security issues: security@cloakedagent.com
- General questions: GitHub Issues