security.txt

  _  __                  ____                      
 | |/ /___  _ __   __ _/ ___|  ___ _ __  ___  ___ 
 | ' // _ \| '_ \ / _` \___ \ / _ \ '_ \/ __|/ _ \
 | . \ (_) | | | | (_| |___) |  __/ | | \__ \  __/
 |_|\_\___/|_| |_|\__,_|____/ \___|_| |_|___/\___|

Vulnerability Disclosure Policy

KonaSense is committed to protecting our customers and the broader security community. We welcome good faith security research and responsible disclosure of vulnerabilities affecting KonaSense products and services.

## Scope

In scope:

>KonaSense web applications and dashboards operated by KonaSense
>KonaSense browser extension and related client components
>KonaSense APIs and backend services
>KonaSense hosted infrastructure that is owned and operated by KonaSense

Out of scope:

>Third party services, integrations, or customer managed environments not operated by KonaSense
>Denial of Service testing, including any stress testing that impacts availability
>Social engineering, phishing, or attempts to compromise employees, contractors, or customers

## How to report a vulnerability

Please email your report to: security@konasense.com

Include:

>A clear description of the issue and security impact
>Steps to reproduce, including proof of concept details when possible
>Affected product, endpoint, version, or configuration
>Any supporting logs, screenshots, or minimal exploit payloads
>Your contact information and preferred attribution name (optional)

$ If the issue is actively exploitable or involves sensitive data exposure, mark the email subject as:
CRITICAL SECURITY REPORT

## What you can expect from us

>Acknowledge receipt within 2 business days
>Provide an initial triage update within 5 business days
>Work with you on validation and remediation
>Notify you when the issue is fixed or mitigated, when feasible

Fix timelines vary based on severity and complexity, but critical issues are prioritized immediately.

## Safe harbor for good faith research

We will not pursue legal action or request law enforcement involvement against researchers who:

>Make a good faith effort to avoid privacy violations, data destruction, and service disruption
>Only access data necessary to demonstrate the vulnerability
>Do not use the vulnerability to compromise or harm users or systems
>Report the issue promptly and do not publicly disclose before a fix is available
>Comply with all applicable laws and this policy

This safe harbor does not apply to:

>Extortion attempts, ransomware behavior, or threats
>Intentional data exfiltration beyond what is required to prove the issue
>Unauthorized persistence, lateral movement, or privilege escalation beyond proof
>Any activity designed to degrade service availability

## Automated scanning and testing rules

Automated scanning is not allowed on KonaSense systems.

That includes Burp active scans, Nikto, DirBuster, mass fuzzing, vulnerability scanners, and any high volume automation that can create noise or impact performance.

# old_school_tip.sh
$ Keep the Burp scan button and the Nikto cannon holstered.
$ We like reports, not traffic spikes.

If you need broader testing to confirm impact, email us first and we can coordinate a safe window and a scoped target.

## Guidelines for testing

Please do:

>Use test accounts you own or are authorized to use
>Keep requests low volume and avoid repetitive automation
>Stop testing once you have enough information to demonstrate the issue
>Coordinate with us if you believe testing could affect real users

Please do not:

>Run DoS or load tests
>Attempt to access or modify other users' data
>Perform automated scanning or intrusive fuzzing
>Perform physical attacks or target employees or vendors

## Coordinated disclosure

We support coordinated disclosure. If you intend to publish, please allow us a reasonable window to remediate and coordinate details. We are happy to credit researchers in release notes or a public acknowledgements section, if desired.

## Bounty

KonaSense may offer discretionary rewards for high impact findings. Rewards are not guaranteed and are based on severity, quality of the report, and whether the issue is previously known or already being addressed.

## Privacy and data handling

Please avoid sending sensitive personal data in reports. If sensitive data is necessary to demonstrate impact, share minimal samples and redact when possible. We will handle reports as confidential and will use the information solely for triage and remediation.

## Contact

$ Security reports: security@konasense.com

$ General inquiries: hello@konasense.com

Last updated: February 24, 2026