Vulnerability Disclosure Program

Kindo welcomes responsible security research and appreciates reports that help keep our systems and customers safe. If you believe you’ve found a security issue, please report it privately and we’ll work with you to investigate and remediate.

Scope

This VDP applies to all internet-facing systems and applications owned or operated by Kindo.ai, including:

Kindo web properties

Including kindo.ai, app.kindo.ai, and all related subdomains: This includes the main corporate website, customer portal, and any related web applications.

Deep Hat web properties

Including deephat.ai, app.deephat.ai, and all related subdomains.

API interfaces

This includes all publicly accessible APIs.

Acquired companies and related companies

Unless otherwise stated, this VDP also applies to systems and applications of companies acquired or owned by Kindo.ai.

Out of Scope

The following are explicitly excluded from this VDP:

Internal systems not accessible from the internet.

Systems of third-party vendors or partners.

Physical security vulnerabilities (e.g., building access).

Denial of Service (DoS) vulnerabilities. While we appreciate reports of potential DoS vulnerabilities, we ask that researchers refrain from testing them against our systems.

Social engineering attacks (e.g., phishing).

Vulnerabilities in third-party libraries or frameworks unless they are uniquely exploitable in our implementation.

The LLM (Deep Hat) product and associated AI/ML model endpoints. Prompt injection, jailbreak attempts, and other LLM-specific attack techniques against Deep Hat are not in scope for this program.

Responsible Disclosure Guidelines

We request that security researchers follow these guidelines when reporting vulnerabilities:

Submit Comprehensive Findings

Provide detailed information: Include steps to reproduce the vulnerability, affected systems, potential impact, and any proof-of-concept code.

Limit Testing to Proof Only

Do not exploit the vulnerability beyond what is necessary to demonstrate its existence. This includes accessing, modifying, or deleting data, or any act considered malicious.

Practice Responsible Disclosure

Do not disclose the vulnerability publicly until we have had a reasonable time to investigate and remediate it. We appreciate your understanding in allowing flexibility to address any findings. The reporter will be notified via email when we review and investigate the findings.

Report Through Official Channels

Submit your report through our designated email bugs@kindo.ai. Do not report vulnerabilities through social media or other public forums. Please submit reports only to bugs@kindo.ai; reports sent elsewhere may not be reviewed.

Maintain Strict Confidentiality

Keep all communication confidential.
Built on Trust

Safe Harbor

Kindo.ai commits to working with security researchers in good faith. If you follow the guidelines outlined in this VDP, we will not initiate legal action against you for accidentally accessing systems or data while conducting security research. This safe harbor applies even if your actions would otherwise violate our terms of service or other agreements.

Response process

Upon receiving a vulnerability report, we will:

1

Acknowledge receipt of the report within 15 business days.

2

Investigate the reported vulnerability and assess its impact. Investigations will take anywhere from 60 to 90 days.

3

If investigations confirm a reported issue, we aim to remediate confirmed vulnerabilities within 60–90 days of validation, depending on complexity and risk.

Rewards and Severity

Kindo may, at its sole discretion, offer monetary rewards for valid vulnerability reports based on severity and impact.
Severity Levels

We evaluate submissions using an internal severity model that aligns with common industry practice:
While estimated CVSS scores from reporters are welcome, Kindo will make the final determination for severity scoring based on our own research and analysis.

Critical (CVSS 9.0–10.0)

Typically $500–$1,000, and not to exceed $1,000 per issue

Unauthenticated RCE on production infrastructure

Full authentication bypass — accessing any account without credentials (e.g., key exposure allowing arbitrary x-user-id/x-org-id spoofing)

Mass cross-tenant data exfiltration (e.g., SQL injection on the multi-tenant PostgreSQL database)

Compromise of encryption keys (decrypts all user secrets) or OAuth tokens at rest

Sandbox escape leading to host-level code execution

Supply chain compromise affecting customer environments

Bulk access to encrypted secrets, API key hashes, or integration credentials across orgs

High (CVSS 7.0–8.9)

 Typically $150–$500

Cross-tenant data access — reading another org's conversations, workflows, or dashboard data

Privilege escalation across tenant boundaries

IDOR accessing sensitive data (message content, secrets, integration credentials) of another user, even within the same org

SSRF from MCP tool proxying reaching internal services or cloud metadata endpoints

Authentication bypass with preconditions (e.g., requires valid session + race condition)

DLP bypass exposing high-sensitivity PII (SSNs, credit cards, medical data)

Webhook signature bypass (e.g. HMAC) or direct webhook token enumeration

Backend policy bypass granting unauthorized access to a protected resource

Prompt injection via MCP tool outputs that exfiltrates user data or credentials

Medium (CVSS 4.0–6.9)

Typically $50–$150

Stored/reflected XSS in an authenticated context with limited scope

CSRF on non-critical state-changing actions (e.g., renaming a dashboard)

IDOR accessing non-sensitive data within the same org (e.g., viewing another member's conversation title, not content)

Privilege escalation within the same org (e.g., member → admin of own org)

DLP bypass that leaks low-sensitivity PII (e.g., names, locations) in a single conversation

Denial of service requiring authentication with limited blast radius

MCP tool output leaking non-sensitive internal metadata

Low (CVSS 0.1–3.9)

No monetary reward (may be eligible for swag or public recognition at our discretion).

Information disclosure of non-sensitive metadata (e.g., software versions, internal path names, stack traces in error responses)

Missing security headers with no demonstrated exploit

Self-XSS or issues requiring implausible user interaction chains

Rate limiting gaps on non-sensitive endpoints

Vulnerabilities only exploitable in non-default configurations

Actual rewards are determined on a case‑by‑case basis and may vary based on factors such as exploitability, business impact, affected assets, report quality, and whether issues can be chained with other findings.

Certain categories of findings, such as purely informational issues or low‑impact findings (for example, clickjacking on pages with no sensitive actions), are generally not eligible for monetary rewards, even if they are accepted as valid reports.

Only exploitable vulnerabilities with a demonstrated proof of concept will be considered for monetary rewards. Reports of missing headers, best-practice gaps, or theoretical risks without a working exploit are generally not eligible.

Kindo also reserves the right to offer public recognition or other non‑monetary rewards at its discretion.

Payments are processed exclusively via PayPal. We do not offer payments via cryptocurrency, wire transfer, or any other method.

If a reward is deemed awardable, we will process payment within fifteen (15) business days of receiving the reporter's PayPal email address.

All applicable taxes, currency conversion fees, and payment processing fees are the sole responsibility of the reporter.

Contact us

bugs@kindo.ai
The Future of Enterprise Operations is Autonomous
Platform
Teams
Company

Get a demo to see how Kindo can take your organization from siloed teams to seamless and secure AI-driven operations.

Get a demo
Contact Us
Back To Top
BlogTerms of UsePrivacy Policy
© 2026 Usable Machines, Inc. (dba Kindo)