Shielda — Security Policy

_Last updated: 2026-04-18 (FIX-18 baseline)_

Last updated: 2026-04-18 (FIX-18 baseline)

We take the security of Shielda and of our customers' environments seriously. This page is the canonical entry point for reporting vulnerabilities, for understanding our disclosure timeline, and for verifying the integrity of our releases.

🔒 Reporting a Vulnerability

Please do not open a public GitHub issue. Instead, email security@shielda.io with:

A concise description of the issue Steps to reproduce (PoC code is welcome) The affected version / commit SHA Your PGP key if you'd like us to respond encrypted Whether you'd like public credit after the fix ships

For high-severity, actively-exploitable issues use the subject line [URGENT] <one-line summary. We page on-call for any email matching this prefix.

PGP Key

Shielda Security <security@shielda.io Fingerprint: TBD — published at https://shielda.io/.well-known/security.txt once our signing key is generated. Until then, please use TLS email and we will respond in kind.

-----END PGP PUBLIC KEY BLOCK-----

⏱ Disclosure Timeline

Stage Target SLO --------------------------- ---------------- Acknowledgement ≤ 24 h Triage + CVSS score ≤ 72 h Fix for Critical (≥ 9.0) ≤ 72 h Fix for High (≥ 7.0) ≤ 7 days Fix for Medium ≤ 30 days Coordinated public advisory after fix ships

We follow 90-day coordinated disclosure. If we cannot ship a fix within 90 days we'll ask for an extension with a specific ship date.

🛡 Scope

In scope:

app.shielda.io (control plane) The Shielda Agent binary (Go, published at github.com/shielda/agent) The @shielda/cli, @shielda/lsp-server, @shielda/mcp-server npm packages The Shielda VS Code extension Our public API surface (/api/v1/)

Out of scope (unless chained to an in-scope vulnerability):

Denial-of-service via high-traffic attacks on our marketing site Reports generated solely by automated scanners with no verified impact Issues already tracked in our public FIXPLAN.md or CHANGELOG.md Missing security headers on marketing pages (shielda.io)

🏁 Safe Harbor

We will not pursue civil action or report to law enforcement for research performed in good faith that:

Stays within this scope Does not access or modify customer data beyond what's necessary to demonstrate the issue Gives us a reasonable window to respond before public disclosure

🔐 Release Integrity

Agent binaries are reproducibly built via agent/Dockerfile.goreleaser. Container images are pushed to ghcr.io/shielda/ and signed with cosign keyless signatures (OIDC). The control-plane build emits an openapi.yaml at /api/v1/openapi.yaml — see ARCHITECTURE.md. Full SBOMs are produced per release (CycloneDX JSON) and published on the GitHub release page.

📋 Bug Bounty

We run a private bounty via responsible-disclosure email. Payouts follow Bugcrowd VRT and are scaled to Shielda ARR — contact security@shielda.io for the current table.

🧭 Related

COMPLIANCE.md — SOC 2, ISO, and data-handling posture. STATUS.md — live service-status page configuration. TELEMETRYPOLICY.md — what we collect and why.