Kaddio Security

Responsible Disclosure

At Kaddio, security is a top priority. We value the work of security researchers who help us keep our platform and users safe.

If you have discovered a security vulnerability in Kaddio, we encourage you to report it to us responsibly. We are committed to working with you to resolve the issue promptly.

Scope

This policy applies to vulnerabilities found in the Kaddio platform, including the web application and related services hosted under our domains.

How to Report

Please send your findings to security@kaddio.com. Include as much detail as possible to help us understand and reproduce the issue.

  • Description. A clear description of the vulnerability and its potential impact.
  • Steps to reproduce. Detailed steps so we can verify the issue.
  • Affected URL or component. The specific area of Kaddio where the issue was found.
  • Supporting material. Screenshots, logs, or proof-of-concept code if applicable.

Guidelines

We ask that you follow these guidelines when researching and reporting vulnerabilities:

  • Do not access, modify, or delete data belonging to other users.
  • Do not perform actions that could negatively affect Kaddio or its users, such as denial-of-service attacks, spamming, or social engineering.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Act in good faith and comply with all applicable laws.

What to Expect

  • Acknowledgement. We will acknowledge receipt of your report within 7 business days.
  • Assessment. We will investigate and assess the reported vulnerability.
  • Resolution. We will work to resolve verified vulnerabilities in a timely manner.
  • Communication. We will keep you informed of our progress.

Out of Scope

The following types of findings are generally considered out of scope:

  • Vulnerabilities in third-party services or applications that are not maintained by Kaddio.
  • Reports based solely on automated scanning without a demonstrated impact.
  • Issues related to outdated browsers or platforms.
  • Missing security headers that do not lead to a demonstrable exploit.

Safe Harbor

We will not pursue legal action against researchers who discover and report security vulnerabilities responsibly, in accordance with this policy. We consider responsible disclosure activities conducted consistent with this policy to be authorized.

Rewards

Please refrain from soliciting rewards as part of your disclosure — such requests are not in the spirit of responsible disclosure. Any decision regarding recognition or rewards is entirely at our discretion.

Contact

For all security-related reports and inquiries, please contact us at security@kaddio.com.