Legal

Security Policy

Last updated:

Security is a priority. If you discover a vulnerability in KubeBolt or kubebolt.io, we want to know. This page describes how to report it responsibly and what you can expect from us.

1. How to report

Send the details to hello@kubebolt.io with the subject line [security]. Please include:

  • A description of the issue and its potential impact.
  • Reproduction steps (URLs, payloads, conditions).
  • Affected version (if it applies to the open-source product).
  • Your name or handle (optional, if you'd like public attribution after the fix).

We'll ask you to not publicly disclose the issue until we've had reasonable time to fix it.

2. Response timelines

Our commitment:

  • Acknowledgment: within 72 business hours.
  • Initial triage and validation: within 7 days.
  • Time to patch: proportional to severity. Critical ≤ 14 days, high ≤ 30 days, medium ≤ 90 days.
  • Coordinated disclosure: we'll agree on a publication date with you after the patch, up to 90 days from the report.

3. In scope

  • kubebolt.io (this marketing site) and all subdomains.
  • The open-source repository github.com/clm-cloud-solutions/kubebolt and the official binaries (Helm, Docker, GHCR, Homebrew).
  • The site's public APIs (e.g., the waitlist endpoint).

4. Out of scope

We don't consider the following to be vulnerabilities:

  • Denial-of-service (DoS) attacks or anything requiring abnormal traffic volume.
  • Client-side configuration issues outside our control (DNS, ISP, browser).
  • Lax SPF/DMARC on domains we don't send mail from.
  • Version banners in HTTP responses.
  • Reports obtained exclusively from automated scanners without demonstrating impact.
  • Vulnerabilities in third-party dependencies that already have a public CVE with a pending upstream release.
  • Social engineering, phishing of the team, or physical intrusion.

5. Rules for research

When investigating, please:

  • Don't access other users' data. If you find a way, demonstrate it on your own test data and let us know immediately.
  • Don't degrade or interrupt the service. No load testing, no mass deletes, no rate-limit hammering.
  • Don't exfiltrate or disclose private data you may have accidentally accessed; delete it and notify us.
  • Comply with applicable law.

If you act in good faith following these rules, we will not pursue legal action against you for the report nor collaborate with authorities to do so (safe harbor).

6. Recognition

After fixing the issue, we may publicly acknowledge you in the release notes and on a thanks page, if you wish. We don't yet offer a bug-bounty program with monetary rewards; we'll evaluate it as the user base grows.

7. Encryption

If you'd prefer to encrypt your report with PGP, write to us first requesting our current public key. We're working on publishing a stable key in a future iteration.

8. Contact

hello@kubebolt.io · subject [security]