Security

Vulnerability disclosure policy

Effective 2026-04-21. We aim to keep this short — read it, then go break things responsibly.

In scope

anvil.koydo.app and all subdomains we operate.
The published CLI @koydo/anvil-cli on npm.
The published anvil-capture macOS binary on GitHub Releases.
The published Anvil iOS / Android / macOS / visionOS / watchOS drivers when distributed via TestFlight / Play Store / Notarized DMG.
Supabase project osnxbuusohdzzcrakavn RLS policies on anvil_* tables (data-isolation issues).

DoS / volumetric attacks. Don't try to take the service down.
Social engineering of Anvil employees, contractors, or vendors.
Physical attacks against Koydo offices (we don't have any).
Reports based solely on outdated CVE versions without proof of actual exploitability — we publish VEX statements for those.
UI/UX issues that aren't security-relevant. File those at hello@koydo.app.

We will not pursue legal action against you for security research conducted in good faith if you:

Stay within the in-scope assets above.
Don't access, modify, or delete data belonging to other users — use a test account.
Don't degrade service availability for other users (no DoS, no cryptomining, no pivoting through our infra).
Give us a reasonable opportunity to fix before public disclosure (90 days for P0/P1, less for low-impact issues).
Don't violate any applicable law during testing.

In scope

anvil.koydo.app and all subdomains we operate.

The published CLI @koydo/anvil-cli on npm.

The published anvil-capture macOS binary on GitHub Releases.

The published Anvil iOS / Android / macOS / visionOS / watchOS drivers when distributed via TestFlight / Play Store / Notarized DMG.

Supabase project osnxbuusohdzzcrakavn RLS policies on anvil_* tables (data-isolation issues).

Out of scope

DoS / volumetric attacks. Don't try to take the service down.

Social engineering of Anvil employees, contractors, or vendors.

Physical attacks against Koydo offices (we don't have any).

Reports based solely on outdated CVE versions without proof of actual exploitability — we publish VEX statements for those.

UI/UX issues that aren't security-relevant. File those at hello@koydo.app.

Safe-harbor

We will not pursue legal action against you for security research conducted in good faith if you:

Stay within the in-scope assets above.

Don't access, modify, or delete data belonging to other users — use a test account.

Don't degrade service availability for other users (no DoS, no cryptomining, no pivoting through our infra).

Give us a reasonable opportunity to fix before public disclosure (90 days for P0/P1, less for low-impact issues).

Don't violate any applicable law during testing.

Severity

Acknowledge

Patch

P0 (critical, exploited)

2 hours

7 days

P1 (critical, unexploited)

24 hours

30 days

P2 (high)

3 business days

90 days

P3+ (medium / low)

5 business days

Best effort, next quarter