Security & Compliance · Responsible disclosure

Find a vulnerability? Tell us first.

Email security@kumokodo.ai with reproduction details. We acknowledge within 1 business day, triage within 5, and follow a coordinated-disclosure timeline. A formal bug-bounty program activates alongside the SOC 2 Type I auditor engagement; until then, we honor responsible-disclosure reports manually with named acknowledgment in /security release notes (no monetary payout pre-program).

← Security overviewInternal policies →

How to report.

  1. 1. Email security@kumokodo.ai with subject line starting with [disclosure].
  2. 2. Include: vulnerability description, reproduction steps, demonstration URL or curl command, what attacker capabilities you demonstrated, your suggested severity classification.
  3. 3. Use a research account if you can — a free-tier Kodori workspace works. Don’t pivot to other customers’ tenants under any circumstance — that crosses into an actual data-confidentiality incident regardless of your intent.
  4. 4. If your finding requires producing real customer data to demonstrate, STOP. Email us with the theoretical attack and we’ll set up a controlled reproduction environment with you under safe-harbor terms.
  5. 5. Optional: PGP-encrypt the report against our public key (available on request). Most reports are fine in plaintext over TLS-protected SMTP.

Scope.

In scope

  • kodori.ai (production marketing surface)
  • app.kodori.ai (production app surface) — when live; today the product runs at kodori.ai/dashboard via SSO
  • api.kodori.ai (REST + MCP endpoints) — once the dedicated subdomain is live; today the routes mount at kodori.ai/api/v1 + kodori.ai/api/mcp
  • The TypeScript SDK at @kumokodo/kodori-sdk on npm
  • Authentication, session management, OAuth flows (Google + Microsoft + WorkOS SAML)
  • Authorization gates (canReadDocument and the deny-wins composition)
  • Hash-chained audit log integrity + the verifyAuditChain code path
  • External connector data flows (Slack / Gmail / Outlook / SharePoint / OneDrive / Google Drive)
  • Cedar policy engine evaluation + the divergence-observation cron
  • Webhook signature verification + replay protection
  • API key generation + storage + verification
  • BYO-KMS envelope encryption flow + DEK re-wrap pipeline

Out of scope

  • Vercel / Neon / Cloudflare R2 / Anthropic / OpenAI / Inngest / Resend / Stripe / WorkOS / Slack / Microsoft / Google infrastructure — report directly to those sub-processors
  • Best-practice violations without a demonstrable security impact (TLS cipher preferences, security-header configuration nuances)
  • DoS / DDoS / volumetric attacks (Cloudflare handles upstream)
  • Social-engineering attacks against KumoKodo personnel
  • Issues requiring physical access to the user device
  • Self-XSS or attacks requiring an already-compromised user account
  • Email spoofing of kumokodo.ai outbound (SPF / DKIM / DMARC are configured but inbound spoofing is the recipient's mail provider concern)
  • Spamming the report intake address — repeat low-quality reports may be IP-blocked

What happens next.

  1. Within 1 business day

    Acknowledgment of receipt with a tracking ID. Intake reviewer assigned (today: Founder).

  2. Within 5 business days

    Initial triage complete. Severity classified (Sev 1-4 per the Incident Response Policy). Reporter notified of the classification.

  3. Within 30 days

    For Sev 1 / 2: fix shipped + post-incident review documented. For Sev 3 / 4: remediation timeline communicated; fix typically lands within 90 days.

  4. After fix lands

    Reporter notified of the fix + offered named acknowledgment in /security release notes (declinable). For Sev 1 / 2 fixes: the post-mortem is published anonymized 30 days after resolution.

Safe harbor.

KumoKodo will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and degradation of service to other users.
  • Stay within the in-scope catalog above.
  • Disclose vulnerabilities to security@kumokodo.ai before any public disclosure.
  • Allow KumoKodo a reasonable amount of time to remediate (per the timeline above) before public disclosure.

If you’re unsure whether your action is in scope or authorized, ask before acting. Email security@kumokodo.ai with subject line [disclosure-scope] and we’ll respond same-day with a yes / no / boundary clarification.