Vulnerability Disclosure Program

Kindo welcomes responsible security research and appreciates reports that help keep our systems and customers safe. If you believe you’ve found a security issue, please report it privately and we’ll work with you to investigate and remediate.

Scope

This VDP applies to all internet-facing systems and applications owned or operated by Kindo.ai, including:

Kindo web properties

Including kindo.ai, app.kindo.ai, and all related subdomains: This includes the main corporate website, customer portal, and any related web applications.

Deep Hat web properties

Including deephat.ai, app.deephat.ai, and all related subdomains.

API interfaces

This includes all publicly accessible APIs.

Acquired companies and related companies

Unless otherwise stated, this VDP also applies to systems and applications of companies acquired or owned by Kindo.ai.

Out of Scope

The following are explicitly excluded from this VDP:

Internal systems not accessible from the internet.

Systems of third-party vendors or partners.

Physical security vulnerabilities (e.g., building access).

Denial of Service (DoS) vulnerabilities. While we appreciate reports of potential DoS vulnerabilities, we ask that researchers refrain from testing them against our systems.

Social engineering attacks (e.g., phishing).

Vulnerabilities in third-party libraries or frameworks unless they are uniquely exploitable in our implementation.

Responsible Disclosure Guidelines

We request that security researchers follow these guidelines when reporting vulnerabilities:

Submit Comprehensive Findings

Provide detailed information: Include steps to reproduce the vulnerability, affected systems, potential impact, and any proof-of-concept code.

Limit Testing to Proof Only

Do not exploit the vulnerability beyond what is necessary to demonstrate its existence. This includes accessing, modifying, or deleting data, or any act considered malicious.

Practice Responsible Disclosure

Do not disclose the vulnerability publicly until we have had a reasonable time to investigate and remediate it. We appreciate your understanding in allowing flexibility to address any findings. The reporter will be notified via email when we review and investigate the findings.

Report Through Official Channels

Submit your report through our designated email bugs@kindo.ai. Do not report vulnerabilities through social media or other public forums. Please submit reports only to bugs@kindo.ai; reports sent elsewhere may not be reviewed.

Maintain Strict Confidentiality

Keep all communication confidential.
Built on Trust

Safe Harbor

Kindo.ai commits to working with security researchers in good faith. If you follow the guidelines outlined in this VDP, we will not initiate legal action against you for accidentally accessing systems or data while conducting security research. This safe harbor applies even if your actions would otherwise violate our terms of service or other agreements.

Response process

Upon receiving a vulnerability report, we will:

1

Acknowledge receipt of the report within 15 business days.

2

Investigate the reported vulnerability and assess its impact.

3

Work to remediate the vulnerability in a timely manner.

4

Keep the reporter informed of the progress of the investigation and remediation.

5

Publicly acknowledge the reporter's contribution (if they choose to be recognized) after the vulnerability has been verified and fixed.

Rewards and Severity

We evaluate submissions using an internal severity model that aligns with common industry practice. Kindo may, at its sole discretion, offer monetary rewards for valid vulnerability reports based on severity and impact.

Critical (CVSS 9.0–10.0)

Typically $500–$1,000, and not to exceed $1,000 per issue

Unauthenticated RCE on production infrastructure

Full authentication bypass — accessing any account without credentials (e.g., key exposure allowing arbitrary x-user-id/x-org-id spoofing)

Mass cross-tenant data exfiltration (e.g., SQL injection on the multi-tenant PostgreSQL database)

Compromise of encryption keys (decrypts all user secrets) or OAuth tokens at rest

Sandbox escape leading to host-level code execution

Supply chain compromise affecting customer environments

Bulk access to encrypted secrets, API key hashes, or integration credentials across orgs

High (CVSS 7.0–8.9)

 Typically $150–$500

Cross-tenant data access — reading another org's conversations, workflows, or dashboard data

Privilege escalation across tenant boundaries

IDOR accessing sensitive data (message content, secrets, integration credentials) of another user, even within the same org

SSRF from MCP tool proxying reaching internal services or cloud metadata endpoints

Authentication bypass with preconditions (e.g., requires valid session + race condition)

DLP bypass exposing high-sensitivity PII (SSNs, credit cards, medical data)

Webhook signature bypass (e.g. HMAC) or direct webhook token enumeration

Backend policy bypass granting unauthorized access to a protected resource

Prompt injection via MCP tool outputs that exfiltrates user data or credentials

Medium (CVSS 4.0–6.9)

Typically $50–$150

Stored/reflected XSS in an authenticated context with limited scope

CSRF on non-critical state-changing actions (e.g., renaming a dashboard)

IDOR accessing non-sensitive data within the same org (e.g., viewing another member's conversation title, not content)

Privilege escalation within the same org (e.g., member → admin of own org)

DLP bypass that leaks low-sensitivity PII (e.g., names, locations) in a single conversation

Denial of service requiring authentication with limited blast radius

MCP tool output leaking non-sensitive internal metadata

Low (CVSS 0.1–3.9)

No monetary reward (may be eligible for swag or public recognition at our discretion).

Information disclosure of non-sensitive metadata (e.g., software versions, internal path names, stack traces in error responses)

Missing security headers with no demonstrated exploit

Self-XSS or issues requiring implausible user interaction chains

Rate limiting gaps on non-sensitive endpoints

Vulnerabilities only exploitable in non-default configurations

Actual rewards are determined on a case‑by‑case basis and may vary based on factors such as exploitability, business impact, affected assets, report quality, and whether issues can be chained with other findings.

Certain categories of findings, such as purely informational issues or low‑impact findings (for example, clickjacking on pages with no sensitive actions), are generally not eligible for monetary rewards, even if they are accepted as valid reports.

Kindo also reserves the right to offer public recognition or other non‑monetary rewards at its discretion.

Contact us

bugs@kindo.ai
The Future of Enterprise Operations is Autonomous
Platform
Teams
Company

Get a demo to see how Kindo can take your organization from siloed teams to seamless and secure AI-driven operations.

Get a demo
Contact Us
Back To Top
BlogTerms of UsePrivacy Policy
© 2026 Usable Machines, Inc. (dba Kindo)