Find something? Tell us first. We'll fix it fast.

What we promise.

What's in. What's out.

In scope

• cognielo.com + any subdomain we operate
• The Cognielo iOS app + widget + watch extensions
• The Cognielo SDK (elo-core Rust crate)
• api.cognielo.com (once the Coach proxy is live)

Out of scope (please don't test)

• Anthropic's API surface — report to Anthropic directly
• Cloudflare infrastructure — report to Cloudflare
• Apple App Store review — report to Apple
• Third-party services we integrate with (Plaid, HealthKit, Google Workspace, Zoho) — upstream

Please don't

• Exfiltrate user data beyond what's needed to prove the issue
• Perform DoS or rate-limit testing against production
• Register many test accounts to reach thresholds — ask us for a test environment instead

Disclosure timeline.

Day	What happens
0	You email us a report at security@cognielo.com.
≤2	We acknowledge receipt.
≤7	We validate or ask for clarification.
≤30	We share our remediation plan.
≤90	We ship the fix. Critical issues: ≤7 days.
+14	You may publicly disclose — or sooner with our coordination.

Hall of fame.

The first name here goes to whoever shows us something we missed. We'd rather pay you in Pro subscriptions and public credit than miss a real flaw.

Our published threat model.

We maintain a STRIDE threat model covering every component Cognielo ships: the local substrate, the Anthropic API path, Cloudflare Workers, iCloud backups, widgets, and the Git pipeline. It names every residual risk we know about — including the critical ones we're still closing before public launch.