Security
Last updated: April 20, 2026
We take security seriously. If you discover a vulnerability in Canopy, please report it responsibly so we can fix it before it affects users.
Responsible Disclosure
Please report security vulnerabilities by email to [email protected]. Do not open a public GitHub issue for security-sensitive findings.
We follow coordinated disclosure. We ask that you give us reasonable time to investigate and patch before publishing details publicly. We will acknowledge your report within one business day and keep you updated throughout the process.
A PGP public key for encrypted reports is planned and will appear here once available. In the meantime, standard email is acceptable — we monitor this address continuously.
Supported Versions
We maintain security patches for the following versions. Using an unsupported version means you will not receive security fixes.
| Version | Support status | Notes |
|---|---|---|
| v2.0.0 (current) | Full support | All security patches applied |
| v1.6.x | Security patches only, until 2026-07-20 | Critical vulnerabilities only; no new features |
| v1.5.x and earlier | End of life | No further patches. Upgrade to v2.0.0. |
The v1.6.x security-patch window ends on 2026-07-20, 90 days after the v2.0.0 release. After that date, only v2.x receives security attention.
Scope
The following are in scope for vulnerability reports:
- License webhook Worker —
heartbeat.canopy.ironpinelabs.com. Authentication bypass, license spoofing, seat limit circumvention. - Admin portal Worker —
admin.canopy.ironpinelabs.com. Auth bypass, unauthorized binding revocation, data exposure. - CLI binary —
canopy. Local privilege escalation, license validation bypass, unsafe file handling. - Indexing and MCP server —
canopy serve. Path traversal in tool handlers, command injection via indexed content, unsafe deserialization. - License key format — Ed25519 signature forgery, payload tampering.
Out of Scope
- Vulnerabilities requiring physical access to the user's machine.
- Reports that amount to "the binary reads files from disk" — this is expected behavior.
- Findings against third-party services (Stripe, Cloudflare, Resend) — report those to the respective vendor.
- Internal infrastructure not reachable from the public internet.
- Social engineering attacks targeting Ironpine Labs staff.
- Denial-of-service attacks that require the attacker to already control the local machine.
Response SLA
| Severity | Acknowledgment | Patch target |
|---|---|---|
| Critical — remote code execution, auth bypass, data breach | 24 hours | 7 days |
| High — privilege escalation, license bypass | 48 hours | 14 days |
| Medium — information disclosure, path traversal (local) | 72 hours | 30 days |
| Low / Informational | 72 hours | Next minor release |
These are targets, not guarantees. Canopy is maintained by a solo founder; if a critical finding arrives during an unusual week, we will communicate any timeline slippage proactively.
Hall of Fame
We'll list contributors here once we receive responsibly disclosed reports. If you report a valid security issue, we'll acknowledge you by name (or pseudonym, your choice) in this section.
This policy is also available in machine-readable form at
/.well-known/security.txt
per RFC 9116.