Security & Responsible Disclosure

Vellichor handles confidential documents — research papers, contracts, medical records, legal files. Security is not a feature for us, it is the foundation. If you have found a vulnerability, we appreciate your help in disclosing it responsibly.

This page covers Vellichor specifically. For the umbrella policy covering all KhassinX apps and infrastructure, see khassinx.com/security.

Reporting

Email: [email protected]
Machine-readable disclosure pointer: /.well-known/security.txt (RFC 9116)

Please include: a brief description, reproduction steps, the impact you observed, and any tooling or accounts you used. Do not include real confidential documents in your report — synthetic or public-domain PDFs are sufficient to demonstrate most issues.

Scope

  • vellichor.khassinx.com (this website)
  • Vellichor iOS / iPadOS / watchOS / macOS apps on the Apple App Store
  • Vellichor's use of CloudKit private database for sync (the schema and access patterns, not Apple's CloudKit infrastructure itself)
  • Vellichor's use of iCloud Drive containers for PDF storage (same caveat)

Out of scope

  • Third-party services (Apple App Store, Apple iCloud, Apple Intelligence Foundation Models) — please report to Apple directly via security.apple.com
  • Volumetric attacks (DDoS, brute force) — not vulnerabilities
  • Reports generated solely by automated scanners without reproducible proof of impact
  • Theoretical issues without a demonstrable attack path
  • Email spoofing on subdomains where we explicitly publish SPF/DKIM/DMARC
  • Hallucinated or inaccurate AI output that does not constitute a security vulnerability (see the Terms regarding AI accuracy)

Response targets

  • Acknowledgement: within five business days
  • Initial triage: within fourteen days
  • Coordinated disclosure timeline: agreed case by case, typically ninety days for non-critical, expedited for critical

Safe harbor

We will not pursue legal action against researchers acting in good faith — investigating, reporting, and respecting our scope rules. This includes researchers accessing only data necessary to demonstrate the issue, not exfiltrating user data, and giving us reasonable time to remediate before public disclosure.

Recognition

We do not currently offer a monetary bug bounty. We offer:

  • Public acknowledgement on this page (with your consent, in the form you prefer)
  • Direct communication with the engineering team handling the fix
  • A formal credit in our release notes when the fix ships

What we ask you to avoid

  • Do not access, modify, or delete documents belonging to other users (none of which we hold on a server, but reproducing CloudKit-level issues with synthetic accounts is fine)
  • Do not perform tests that degrade service quality for other users
  • Do not publicly disclose the vulnerability before we have had a reasonable chance to fix it
  • Do not test on real user accounts without explicit written permission

Contact

Security disclosure: [email protected] (PGP key available on request)
General contact: [email protected]