Security & Vulnerability Disclosure

Intended Use

Dekupeo is a desktop application for Windows that runs locally on a user's PC. It communicates with laser cutters and engravers over USB/serial or a local area network (Wi-Fi), optimises part layouts on material sheets, generates G-code, and sends it to the connected machine.

Dekupeo is designed for use on a trusted private network (home workshop or small business LAN). It is not intended to be exposed to the public internet.

Security Properties

  • Local-only API — the backend binds to 127.0.0.1 only; it is not reachable from the network.
  • Signed installer & executables — the installer and all shipped executables are signed with Azure Trusted Signing so Windows SmartScreen can verify their authenticity before the user runs them.
  • Verified updates — before launching a downloaded installer, the app checks its SHA-256 hash against the value returned by the release API. A mismatch is reported to the user and the installer is not run.
  • Scoped native bridge — the WebView2 ↔ native message channel uses an explicit allowlist of permitted message types; unknown or malformed messages are discarded.
  • Session-gated phone upload — the QR-code upload server uses 128-bit random session tokens that expire after 15 minutes and are single-use.
  • Digital SBOM — a CycloneDX 1.5 Software Bill of Materials (sbom.json) is shipped inside every installer and scanned for known CVEs at build time; the build fails if unmitigated critical or high CVEs are found.

Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities in any Dekupeo component. If you believe you have found a security issue, please follow the process below.

How to report

  1. Send an e-mail to support@dekupeo.com with the subject line "Security Vulnerability Report".
  2. Describe the vulnerability clearly: affected component, version, steps to reproduce, potential impact, and any proof-of-concept or supporting material you can share.
  3. We will acknowledge receipt within 5 business days.
  4. We aim to provide an initial assessment and estimated fix timeline within 15 business days of the acknowledgement.

Our commitments to researchers

  • We will not take legal action against researchers who act in good faith.
  • We will keep you informed of progress toward a fix.
  • We will credit you in the release notes when the fix ships (unless you prefer to remain anonymous).
  • We ask that you do not publicly disclose the vulnerability until a fix has been released, or until 90 days have elapsed from your initial report — whichever comes first.

Patch & Update Lifecycle

Supported version

The currently supported version is the latest patch release of the current minor version series (e.g. all 3.1.x releases). When a new minor version is published, the previous minor series enters a 6-month sunset period, after which it reaches end of life and no further patches are issued. We commit to providing security updates for at least 2 years from the initial commercial release of each major version.

Security patches — always free

In accordance with the EU Cyber Resilience Act, security patches for the supported version are provided to all users free of charge, regardless of subscription status. The application notifies users in-app when a patch is available and allows installation without requiring an active subscription.

  • Critical and high-severity vulnerabilities are fixed with priority and released as a standalone patch as quickly as possible, independently of the regular schedule.
  • Other security and bug fixes are included in the next scheduled patch release.

Feature updates — active subscription required

New minor versions (e.g. 3.1 → 3.2) and new major versions introduce new features and may change interfaces or hardware requirements. Installing these requires an active support & updates subscription. Subscribers are notified in-app and can install any release, including new feature releases.

SBOM & Dependency Information

A CycloneDX 1.5 SBOM (sbom.json) is bundled with every installer in the application directory. It lists all included open-source components and their licences. A vulnerability report is archived with each build and checked against the SBOM — the build fails on any unmitigated critical or high CVE.