Security

Last updated: 2026-06-18

This page describes how to report security issues for Moldable, including the desktop app, official apps, skills, and hosted services such as Moldable Artifacts.

Contact

If you discover a security vulnerability, email:

Please include:

  • A clear description of the issue
  • Steps to reproduce
  • Affected versions/components
  • Affected Artifact URL, publish key flow, API route, or file path, if relevant
  • Any proof-of-concept details and potential impact

For copyright, privacy, or abusive-content reports about a published Artifact, email hello@moldable.sh unless the report also involves a security vulnerability.

Disclosure Policy

We request coordinated disclosure:

  1. Report the issue privately by email.
  2. Give us reasonable time to investigate and ship a fix.
  3. Avoid public disclosure until we confirm remediation or agree on a timeline.

Safe Testing Guidelines

When testing, please:

  • Avoid accessing, modifying, or deleting data that is not yours
  • Avoid service disruption (DoS, resource exhaustion, spam)
  • Use the minimum proof needed to demonstrate impact
  • Test Artifact publishing, update, unpublish, and public-read behavior only with Artifacts you own or have permission to test
  • Do not attempt to guess private credentials, exfiltrate secrets, access unpublished Artifacts, or enumerate unlisted Artifact URLs beyond what is necessary for a report

Response Expectations

We aim to:

  • Acknowledge reports promptly
  • Triage severity and impact
  • Share status updates during remediation
  • Credit reporters when appropriate (if requested)

Related Resources