.png)
.png)
Vulnerability Disclosure Program
Kindo welcomes responsible security research and appreciates reports that help keep our systems and customers safe. If you believe you’ve found a security issue, please report it privately and we’ll work with you to investigate and remediate.
Scope
This VDP applies to all internet-facing systems and applications owned or operated by Kindo.ai, including:
Kindo web properties
Deep Hat web properties
API interfaces
Acquired companies and related companies
Out of Scope
The following are explicitly excluded from this VDP:
Internal systems not accessible from the internet.
Systems of third-party vendors or partners.
Physical security vulnerabilities (e.g., building access).
Denial of Service (DoS) vulnerabilities. While we appreciate reports of potential DoS vulnerabilities, we ask that researchers refrain from testing them against our systems.
Social engineering attacks (e.g., phishing).
Vulnerabilities in third-party libraries or frameworks unless they are uniquely exploitable in our implementation.
The LLM (Deep Hat) product and associated AI/ML model endpoints. Prompt injection, jailbreak attempts, and other LLM-specific attack techniques against Deep Hat are not in scope for this program.
We will not create accounts for researchers or provide them with access.
Responsible Disclosure Guidelines
We request that security researchers follow these guidelines when reporting vulnerabilities:
Safe Harbor
Kindo.ai commits to working with security researchers in good faith. If you follow the guidelines outlined in this VDP, we will not initiate legal action against you for accidentally accessing systems or data while conducting security research. This safe harbor applies even if your actions would otherwise violate our terms of service or other agreements.
Response process
Upon receiving a vulnerability report, we will:
1
Acknowledge receipt of the report within 15 business days.
2
Investigate the reported vulnerability and assess its impact. Investigations will take anywhere from 60 to 90 days.
3
If investigations confirm a reported issue, we aim to remediate confirmed vulnerabilities within 60–90 days of validation, depending on complexity and risk.
Rewards and Severity
We evaluate submissions using an internal severity model that aligns with common industry practice.
While estimated CVSS scores from reporters are welcome, Kindo will make the final determination for severity scoring based on our own research and analysis. CVSS scoring is calculated based on CVSS v.4.0 standards. Here is a publicly available CVSS v.4.0 calculator for reference: https://www.first.org/cvss/calculator/4.0
Low (CVSS 0.1–3.9)
No monetary reward (may be eligible for swag or public recognition at our discretion).
Medium (CVSS 4.0–6.9)
Typically $50–$150
High (CVSS 7.0–8.9)
Typically $150–$500
Critical (CVSS 9.0–10.0)
Typically $500–$1,000, and not to exceed $1,000 per issue

