Security & Coordinated Vulnerability Disclosure
Last updated: 2026-05-28
Reporting a security issue
If you believe you have found a security vulnerability in ClipCatalog — the desktop application, our backend services at *.clipcatalogpro.com, or our public website — please report it privately at:
We treat all reports seriously. PGP-encrypted reports are not currently supported; if you need a secure channel for sensitive details, please email first and we will arrange one.
What to include in your report
- A description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue (or a working proof-of-concept)
- The affected ClipCatalog version (visible in About → Version)
- Any relevant logs, screenshots, or sample artefacts
- Whether you would like to be credited in the public advisory, and how (name, handle, link)
What to expect from us
| Stage | Target | What happens |
|---|---|---|
| Initial acknowledgement | Within 5 business days | We confirm we received your report and assign a tracking reference. |
| Triage decision | Within 10 business days | We tell you whether we accept the report, our initial severity estimate, and the planned remediation path. |
| Fix shipped + public advisory | Within 90 calendar days | A patched release is published; an advisory describing the issue, impact, and fix appears under /security/advisories/. |
We will keep you updated throughout. If we determine the report does not affect a supported product or is out of scope, we will explain why in writing.
Scope
In scope:
- ClipCatalog desktop application (all currently supported versions)
- Backend services at
*.clipcatalogpro.com(licensing API, update endpoint, telemetry intake) - The public website at
clipcatalogpro.com
Out of scope — the following are NOT eligible:
- Social engineering of staff, customers, or contractors
- Physical attacks against premises or hardware
- Denial-of-service attacks (whether successful or not)
- Issues in third-party services we depend on (Paddle, AWS, Cloudflare, Brevo, etc.) — please report those to the respective vendors directly
- Theoretical vulnerabilities without a demonstrable impact path
- Reports consisting solely of automated-scanner output without a manual triage or exploitability analysis
- Best-practice recommendations (TLS configuration, missing security headers) without an exploitation scenario
Safe harbour
We adopt the disclose.io Core Terms. To the extent that your security research and vulnerability disclosure activities are conducted in good faith and in accordance with this policy, we will:
- Consider your activities authorised
- Not initiate or recommend legal action against you in connection with your research
- Work with you to understand and resolve the issue quickly
If you make a good-faith effort to comply with this policy during your security research, we will consider your research authorised and we will not pursue civil or criminal action or send notice to law enforcement.
Coordinated disclosure
We aim to publish a public advisory once a fix has shipped and customers have had a reasonable opportunity to update. Our default disclosure target is 90 calendar days from the date you reported the issue, or sooner if a fix is available earlier. If you intend to publicly disclose on your own timeline, please coordinate with us in advance so we can synchronise the public advisory with the fix release.
Public advisories
Once an issue is fixed, the corresponding public advisory is published at /security/advisories/<CVE-ID> on this site, accompanied by a machine-readable CSAF 2.x document for downstream tooling.
Software Bill of Materials (SBOM)
For every released version of ClipCatalog we publish a CycloneDX 1.6 Software Bill of Materials listing every shipped component (Flutter and Dart packages, Python sidecar dependencies, vendored binaries, AI models) with version, license, and per-file SHA-256 hashes. This anticipates the Software Bill of Materials expectation in the EU Cyber Resilience Act (Annex I Part II §1), which applies to products placed on the market from 11 December 2027; we publish it now voluntarily. The index, the per-version files, and a stable latest.cdx.json URL for automated tooling are at /security/sbom/.
Machine-readable contact
This policy is also published in machine-readable form at /.well-known/security.txt per RFC 9116.
See also
Product information — manufacturer details, product identifier, intended use, known cybersecurity risks, support-period end date, update-availability commitment, and secure decommissioning instructions, following the information structure of EU Cyber Resilience Act Annex II.
Manufacturer: PAULUS DIGITAL SOLUTIONS LLC. For general product support, use the in-app support channel or support@clipcatalogpro.com.