Responsible Disclosure Policy

It’s important that anybody is able to contact us, quickly and effectively, with security concerns. If you’re a security researcher and have discovered a security vulnerability, please disclose this information to us.

How to disclose a security issue

Please email us at [email protected]. You should mask or redact sensitive content or encrypt data using our PGP key.

Please include the following information in the submission:

• Sufficient details of the vulnerability to allow it to be understood and reproduced.
• The impact of the vulnerability.
• HTTP requests and responses, HTML snippets and screenshots (if appropriate).
• Proof of concept code (if available).
• Any references or further reading that may be appropriate.

What you can expect from us

We will usually read and respond to all messages within 24 hours. We will prioritise any required remediation according to the level of severity of the issue.

Responsibilities

At all times act responsibly and in the best interests of Koyo and our customers.

• Do not break the law
• Do not disrupt our systems or service
• Do not access any data that doesn’t belong to you
• Do not use social engineering techniques against our customers or staff

It is important that we treat your communication as a responsible disclosure and not an attack or extortion. Following these guidelines will help to ensure that.

Recognition

We do not currently offer bug bounties. However, we do believe in public recognition for anyone who helps us to ensure our systems and data are secure. We will not name you without your consent.