Sortio Logo
Sortio
Back to Home

Security and Vulnerability Disclosure

We welcome reports from security researchers. Here is how to reach us.

How Sortio protects your files

Sortio organizes files on your own machine. For teams in regulated work such as law firms, accounting practices, and healthcare, here is exactly what happens to a document when Sortio sorts it.

  • Local-only option. With local inference through Ollama, the model runs on your device and no file content ever leaves the machine. This is the configuration for privileged, confidential, or regulated documents.
  • Managed AI or your own key. Prefer hosted AI for speed, or bring your own provider API key (BYOK) so calls go to an account you control.
  • Preview before anything moves. Every rename and move is shown for approval first. Nothing is destructive until you apply, and renamed or moved files keep a backup for 30 days so any change is recoverable.
  • Your filesystem, not a silo. Sortio organizes the files already on your disk or shared drive into ordinary folders. It does not lock your documents inside a proprietary store.

How to report

Email our security team

Send a detailed report to security@getsortio.com.

Please include reproduction steps, affected URLs or app versions, and any proof of concept. PGP is not required.

A machine readable version of this policy is published at /.well-known/security.txt.

Our commitments

  • We will acknowledge your report within 3 business days.
  • We will provide a triage decision (in scope, severity, planned fix) within 10 business days.
  • We will not pursue legal action against researchers who follow this policy in good faith.
  • We will credit you in our release notes if you wish, after the fix is shipped.

Remediation timelines

We aim to resolve confirmed issues on the following schedule, measured from the date we accept the report:

  • High severity: 7 days
  • Medium severity: 30 days
  • Low severity: 90 days

Severity follows CVSS 3.1. Complex issues that require architectural changes may take longer; we will keep you posted on progress.

In scope

  • getsortio.com (marketing site)
  • app.getsortio.com (web app + checkout)
  • api.getsortio.com (backend API)
  • The Sortio desktop application (macOS, Windows)

Out of scope

  • Denial of service or volumetric attacks
  • Social engineering of CMG Labs employees or users
  • Issues that require physical access to a user's device
  • Findings limited to outdated browsers or end of life software
  • Reports from automated scanners without a working proof of concept

Researcher guidelines

While testing, please avoid accessing or modifying data that does not belong to you, do not run automated scanners against production endpoints, do not exfiltrate data beyond the minimum needed to demonstrate the issue, and give us a reasonable opportunity to remediate before any public disclosure.

Related policies

Privacy PolicySub-processorsTerms of Service