Security & Vulnerability Disclosure

Koh Cyber takes security seriously. We welcome responsible disclosure from security researchers and the wider community. If you have found a potential security vulnerability in any Koh product, service, or infrastructure, please report it to us using the process below. We will work with you to understand, validate, and resolve the issue as quickly as possible.

How to Report

Send your report to security@kohcyber.com. Please include as much of the following information as possible:

• A description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions or a proof-of-concept.
• The affected product, endpoint, or component (e.g., app.kohcyber.com, api.kohcyber.com, the GWS Add-on).
• Any screenshots, videos, or HTTP request/response captures that help illustrate the issue.
• Your name or handle if you would like to be credited (optional).

You may encrypt your report end-to-end using our PGP public key:

Scope

The following assets are in scope for this program:

• app.kohcyber.com — customer dashboard (Next.js frontend)
• api.kohcyber.com — REST API backend (FastAPI)
• kohcyber.com — marketing website
• GWS Add-on — Gmail sidebar add-on (Google Workspace Marketplace listing)
• v1 REST API — the customer-facing SIEM/SOAR integration API (api.kohcyber.com/api/v1/*)

The following are out of scope:

• Denial-of-service attacks (volumetric or application-level) against production infrastructure.
• Social engineering of Koh Cyber employees, contractors, or customers.
• Physical attacks against Koh Cyber offices or infrastructure.
• Spam, phishing, or mass account registration that degrades service quality.
• Vulnerabilities in third-party services (Google Workspace, Stripe, SendGrid) — please report those to the respective vendors directly.
• Automated scanning that generates significant load on production systems.

Safe Harbor

Koh Cyber will not pursue civil or criminal action against researchers who comply with this policy. We consider good-faith security research conducted in accordance with this policy to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA) and similar statutes worldwide.
• Exempt from the DMCA anti-circumvention provisions where applicable to security research.
• Conducted in good faith and exempt from action under our Terms of Service for the limited purpose of security research.

To qualify for safe harbor, you must: (1) report vulnerabilities promptly and not exploit them beyond what is necessary to demonstrate the issue; (2) avoid accessing, modifying, or deleting customer data; (3) not disclose vulnerability details to any third party before we have had a reasonable opportunity to remediate; and (4) not conduct testing on customer accounts or data without explicit written permission from those customers.

Our Process

We will keep you informed at each stage. If timelines are expected to slip, we will notify you and provide an updated estimate.

Rewards

Koh Cyber does not currently operate a paid bug bounty program. Researchers who responsibly disclose valid vulnerabilities will be acknowledged in our security hall of fame (with permission) and receive our sincere appreciation. We plan to introduce a formal bounty program as the company grows.

Disclosure Policy

We follow coordinated vulnerability disclosure (CVD). Please give us a reasonable opportunity to remediate (typically 90 days for Critical and High issues) before publishing details. If you believe disclosure is necessary before remediation is complete, please contact us first so we can work out a timeline together.