Vulnerability disclosure
How to responsibly report security vulnerabilities in Koji's products, what's in scope, and the safe-harbor commitments we extend to good-faith researchers.
Our commitment
Koji values the security research community and works in good faith with researchers who responsibly report vulnerabilities. We commit to:
- Acknowledging your report within one business day.
- Validating, triaging, and responding to your report on a documented timeline aligned with severity.
- Keeping you informed through to resolution.
- Not pursuing legal action against researchers acting in good faith and within the scope of this policy.
- Crediting researchers in our internal post-mortem and, with your permission, in any public security communication.
Safe harbor
Koji considers good-faith security research conducted within the scope of this policy to be authorized. We will not initiate legal action against you, refer your activity to law enforcement, or report it to your employer, provided you:
- Report the vulnerability promptly to [email protected].
- Do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it (typically ninety days, or sooner by agreement).
- Do not access, modify, or delete data that is not your own, beyond what is strictly necessary to demonstrate the vulnerability.
- Do not degrade the user experience for other users, disrupt our service, or perform denial-of-service testing.
- Comply with all applicable laws.
Scope
The following Koji-operated systems are in scope:
- www.koji.so and its subdomains
- The Koji web application
- Customer-facing enterprise subdomains (yourcompany.koji.so)
- The Koji public API
- The Koji MCP server endpoints
- Authentication and OAuth endpoints under www.koji.so
Outside this policy's scope
The following are outside the scope of this policy. They may still be valid issues, but please direct them elsewhere rather than reporting them as vulnerabilities here:
- Findings in third-party services and infrastructure outside Koji's control. Report those directly to the relevant vendor.
- Findings in customer-controlled configurations (for example, a customer's identity-provider misconfiguration).
- Social engineering of Koji employees, customers, or contractors.
- Denial-of-service attacks of any kind.
- Physical attacks on Koji property, personnel, or office locations.
- Spam or rate-limiting concerns that do not lead to a security impact.
- Reports generated solely by automated tools without analysis or validation.
- Issues that require physical access to a victim's device.
- Missing security headers without a demonstrated exploit chain.
- Self-XSS where user action is required and the impact is limited to the user's own browser.
What to include in a report
- A clear description of the vulnerability
- The URL or endpoint affected
- Step-by-step reproduction instructions
- The impact you observed and the worst case you can imagine
- Any supporting evidence (logs, screenshots, payloads, video)
- Whether you would like to be credited and under what name
Encrypted submissions
If your report contains sensitive information you would like encrypted in transit, request our PGP key in your initial message and we will reply with the public key for re-encryption of the details.
Recognition
Koji recognizes researchers in our internal post-incident reviews and will, with your consent, name you in any public communication about the remediated finding. A paid bug bounty program is on our roadmap; if you would like to be notified when it launches, let us know in your first report.
Contact
All reports go to [email protected]. We acknowledge within one business day.