GPL-3.0, no second tier
Squilla is licensed under the GNU General Public License v3.0. You may run it, study it, modify it, and redistribute it. Distribute a modified version and you must release the source under the same license. The full, legally binding text is in the LICENSE file at the root of the repository — the prose on this page is a summary, not a substitute.
No commercial tier, ever
There is no enterprise edition, no SaaS gateway, no “open-core” pattern. Every line of code that runs the kernel, the extensions, the admin UI, and this marketing site is in the public repository under GPL-3.0. If a feature ships, it ships for everyone.
No CLA
Contributors do not sign a Contributor License Agreement. You retain copyright in your contributions and license them under GPL-3.0 by submitting a pull request. The project cannot be relicensed out from under contributors — a future maintainer cannot take this code closed-source.
Bundled third-party code
Direct dependencies are listed in go.mod, package.json, and each extension's manifest. Each is used under its own OSI-approved license (MIT, BSD, Apache 2.0, MPL 2.0). The aggregate is GPL-3.0 compatible; we do not bundle code that is not.
What the CMS collects
Nothing. The Squilla binary makes no outbound network calls of its own — no telemetry, no anonymous metrics, no “phone-home” update check, no crash reporting. It only talks to the network when an extension you install and configure asks it to (e.g. resend-provider calls Resend; smtp-provider talks to your SMTP server). Each extension's network behaviour is described in its own README.
What this website collects
squilla.app uses no cookies, no JavaScript analytics, no third-party trackers, no fingerprinting. The reverse proxy keeps standard HTTP access logs (timestamp, source IP, request path, user-agent, response code, byte count) for 30 days for abuse detection and capacity planning. Logs are not exported, sold, shared, or correlated with any other dataset.
Forms and email
If you submit the contact form or sign up for release notifications, the email address you provide is stored in our self-hosted database and used only to reply to you or send the release note you asked for. We do not import it into a CRM or marketing automation tool. Ask for deletion at any time — see Contact below.
Third parties served by this site
Web fonts are loaded from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). Code samples link to GitHub. There are no other third parties. If even that's too much, the source for this site is in the repository and you can build a self-hosted copy with the same theme.
Your rights
If you're an EU/UK resident, GDPR/UK-GDPR rights apply: access, rectification, erasure, restriction, portability, objection. Email the address in the Contact section and we'll handle it within 30 days. We do not need a formal request — a one-line email is enough.
Use of this site
Read it, link to it, screenshot it, quote it, scrape it (robots.txt is permissive, please throttle to a sane rate). Do not republish it as your own work or imply it represents another project.
Use of the software
Use of the Squilla CMS itself is governed by the GPL-3.0 license, not by this page. If the two ever appear to conflict, GPL-3.0 wins.
No warranty
Squilla is provided as is, without warranty of any kind, express or implied, including merchantability, fitness for a particular purpose, and non-infringement. To the fullest extent allowed by law, the maintainers are not liable for any claim, damages, or other liability arising from use of the software. The GPL-3.0 license contains the legally binding version of this paragraph.
Trademarks
“Squilla” and the compound-eye mark are unregistered trademarks of the Squilla project. You may use them to refer to the project, link to it, or attribute screenshots. You may not use them to brand a fork, a paid product, or a service in a way that suggests endorsement by the project.
Governing terms
This website is operated from the European Union; EU consumer-protection rules apply where relevant. Disputes that cannot be resolved by direct conversation will be handled in the maintainer's home jurisdiction. We have never had one and do not anticipate any.
Reporting a vulnerability
Use GitHub's private security advisory flow on the erikkubica/squilla repository (Security → Advisories → New draft). Do not file a public issue for an exploitable bug. If GitHub is unreachable for you, email the address in the Contact section with subject line SECURITY.
What we acknowledge
We aim to acknowledge in writing within 72 hours and confirm whether the report is in scope within 7 days. “In scope” means: the latest released version of the kernel, the in-tree extensions, the admin UI, this marketing site, and any official Docker image. Out of scope: third-party themes, third-party extensions, your own deployment misconfiguration, and social engineering of project maintainers.
Disclosure
Coordinated disclosure on a 90-day timeline from acknowledgement. We will negotiate a longer window for severe issues that require ecosystem coordination. We will not sit on a fix past the agreed window for marketing reasons.
Bug bounty
There is no monetary bounty — the project has no commercial revenue. We will publicly credit you in the release notes and the project Acknowledgements page, with the wording you choose, including “anonymous”.
Hardening guidance
Production-deployment guidance lives in docs/security.md in the repository. The short version: run the kernel as an unprivileged user, terminate TLS at a reverse proxy, set a strong SQUILLA_SESSION_SECRET, restrict SQUILLA_MCP_ALLOW_RAW_SQL to development, and rotate MCP tokens with care.
The mark
The compound-eye dot cluster represents Squilla's segmented kernel-and-extension architecture and the mantis shrimp's multi-spectrum perception. Don't recolour the dots; the iridescent palette (teal, violet, magenta, coral, lime) is the identity. SVG sources are in themes/squilla/assets/brand/.
The wordmark
Set in JetBrains Mono Medium, lowercase, with a trailing slash that distinguishes the project from generic uses of the word. Don't pad-cap it (“SQUILLA”), don't title-case it (“Squilla” inside the wordmark), don't replace the slash with another character.
Colour and motion
Accent colours and motion easing are documented in the design tokens at themes/squilla/assets/styles/tokens.css. If you're embedding screenshots in a slide deck, the dark theme reads better at projector contrast.
Welcomed uses
Articles, conference talks, podcast notes, screenshots, tutorials, comparison posts, classroom material, t-shirts, stickers, your own slide decks. Link back to the project where it makes sense; we won't chase you if you forget.
Not welcomed
Combining the mark with another logo to suggest a partnership we haven't agreed to. Selling the mark on merchandise as if licensed by the project. Branding a hostile fork “Squilla X” while using our mark. Implying endorsement of a paid service or training course.
How to reach us
GitHub is the primary channel for everything: bug reports, feature requests, security advisories, license questions, brand questions, and “does Squilla do X” conversations. The repository is erikkubica/squilla; issues, discussions, and private security advisories are all enabled.
For things that genuinely don't fit on GitHub — GDPR requests, press inquiries, takedown notices that involve an actual person's data — email hello@squilla.app. We respond within five working days. Please prefer GitHub for everything else; it keeps the conversation searchable for the next person with the same question.
Who maintains this
Squilla is maintained by Erik Kubica and a small group of contributors listed in the repository. The project has no parent company and no investors. There is no PR team to talk to.
Effective date
This page was last updated on 30 April 2026.