SECURITY

Responsible Disclosure

Last updated: April 26, 2026

We are an offensive security company. We expect and welcome security research on our own assets. This page describes how to report a vulnerability in KAOS systems and what you can expect in return.

Scope

  • kaos.ad and all subdomains
  • The KAI platform web application and public APIs
  • Our published mobile or desktop clients (if any)

Out of scope

  • Customer tenants and customer-owned data — report directly to the customer or stop testing.
  • Third-party services we use that have their own bug bounty programs (report to them).
  • Denial of service, volumetric, or rate-limit testing.
  • Social engineering or physical attacks against employees.
  • Reports based purely on missing security headers, theoretical CSP weaknesses, or outdated TLS configurations without demonstrable impact.
  • Self-XSS, clickjacking on pages with no sensitive actions.
  • Spam, automated scanner output without validation.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, KAOS will not initiate or support legal action against you, will not contact law enforcement, and will treat your activity as authorized under applicable computer-misuse laws (including the Spanish Código Penal art. 197 bis et seq. and equivalent Andorran provisions). You must avoid privacy violations, destruction of data, and interruption of service, and you must not access more data than is necessary to demonstrate the issue.

How to report

  • Email security@kaos.ad with a clear technical description, reproduction steps, and impact.
  • PGP encryption is supported. Our public key is published at /.well-known/pgp-key.txt (coming soon).
  • Please do not file public issues, social-media posts, or third-party disclosures before we have had a chance to fix the issue.
  • See also our security.txt for the machine-readable contact.

What to expect

  • Acknowledgement within 5 business days.
  • Initial triage with severity assessment within 10 business days.
  • Remediation timeline appropriate to severity (Critical: hotfix ASAP; High: 30 days; Medium: 60 days; Low: 90 days).
  • Updates every two weeks while the issue is open.

Recognition

We do not currently pay monetary bounties. We do offer:

  • Public credit on our security hall of fame, if you opt in.
  • CVE coordination via our CNA partner where applicable.
  • KAOS swag and, for high-impact reports, complimentary platform credits.

Disclosure

We aim for coordinated disclosure within 90 days of the initial report. We are happy to coordinate publication, joint advisories, and conference talks.

Contact

security@kaos.ad