Vulnerability Disclosure Program

Kindo welcomes responsible security research and appreciates reports that help keep our systems and customers safe. If you believe you’ve found a security issue, please report it privately and we’ll work with you to investigate and remediate.

Scope

This VDP applies to all internet-facing systems and applications owned or operated by Kindo.ai, including:

Kindo web properties

Including kindo.ai, app.kindo.ai, and all related subdomains: This includes the main corporate website, customer portal, and any related web applications.

Deep Hat web properties

Including deephat.ai, app.deephat.ai, and all related subdomains.

API interfaces

This includes all publicly accessible APIs.

Acquired companies and related companies

Unless otherwise stated, this VDP also applies to systems and applications of companies acquired or owned by Kindo.ai.

Out of Scope

The following are explicitly excluded from this VDP:

Internal systems not accessible from the internet.

Systems of third-party vendors or partners.

Physical security vulnerabilities (e.g., building access).

Denial of Service (DoS) vulnerabilities. While we appreciate reports of potential DoS vulnerabilities, we ask that researchers refrain from testing them against our systems.

Social engineering attacks (e.g., phishing).

Vulnerabilities in third-party libraries or frameworks unless they are uniquely exploitable in our implementation.

The LLM (Deep Hat) product and associated AI/ML model endpoints. Prompt injection, jailbreak attempts, and other LLM-specific attack techniques against Deep Hat are not in scope for this program.

We will not create accounts for researchers or provide them with access.

Responsible Disclosure Guidelines

We request that security researchers follow these guidelines when reporting vulnerabilities:

Provide detailed information: Include steps to reproduce the vulnerability, affected systems, potential impact, and any proof-of-concept code. You must include proof of the exploit.
Do not exploit the vulnerability beyond what is necessary to demonstrate its existence. This includes accessing, modifying, or deleting data, or any act considered malicious.
If you have discovered a vulnerability, we ask that you disclose it to us privately, allowing us to resolve it before it is made public. Every report is taken seriously by our security team, and we will respond promptly. After the issue has been fixed, we will recognize your contribution and offer a suitable reward for helping us safeguard our users.
Submit your report through our designated email bugs@kindo.ai. Do not report vulnerabilities through social media or other public forums. Please submit reports only to bugs@kindo.ai; reports sent elsewhere may not be reviewed.
Keep all communication confidential.
Built on Trust

Safe Harbor

Kindo.ai commits to working with security researchers in good faith. If you follow the guidelines outlined in this VDP, we will not initiate legal action against you for accidentally accessing systems or data while conducting security research. This safe harbor applies even if your actions would otherwise violate our terms of service or other agreements.

Response process

Upon receiving a vulnerability report, we will:

1

Acknowledge receipt of the report within 15 business days.

2

Investigate the reported vulnerability and assess its impact. Investigations will take anywhere from 60 to 90 days.

3

If investigations confirm a reported issue, we aim to remediate confirmed vulnerabilities within 60–90 days of validation, depending on complexity and risk.

Rewards and Severity

Kindo may, at its sole discretion, offer monetary rewards for valid vulnerability reports based on severity and impact.
Severity Levels

We evaluate submissions using an internal severity model that aligns with common industry practice.

While estimated CVSS scores from reporters are welcome, Kindo will make the final determination for severity scoring based on our own research and analysis. CVSS scoring is calculated based on CVSS v.4.0 standards. Here is a publicly available CVSS v.4.0 calculator for reference: https://www.first.org/cvss/calculator/4.0
Here are CVSS score ranges and how they correspond to severity levels:

Low (CVSS 0.1–3.9)

No monetary reward (may be eligible for swag or public recognition at our discretion).

Medium (CVSS 4.0–6.9)

Typically $50–$150

High (CVSS 7.0–8.9)

 Typically $150–$500

Critical (CVSS 9.0–10.0)

Typically $500–$1,000, and not to exceed $1,000 per issue