Graphic element with blue to violet gradient shape

Vulnerability Report and Disclosure Policy

Last updated 10 January, 2025

Legal Posture

Kenzo Security will not initiate legal action against individuals who report vulnerabilities through our designated Vulnerability Reporting email (vuln-report@kenzosecurity.ai). We welcome reports related to the currently available Kenzo Security products. We agree not to take legal action against individuals who:

Kenzo Security will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting email (vuln-report@kenzosecurity.ai). We openly accept reports for the currently-offered Kenzo Security products. We agree not to pursue legal action against individuals who:

  • Test systems or conduct research without causing harm to Kenzo Security or its customers.

  • Perform vulnerability testing within the parameters of our vulnerability disclosure program.

  • Test products in a way that does not impact customers or obtain prior consent from customers before conducting vulnerability tests on their devices/software.

  • Comply with the laws of their location as well as the jurisdiction in which Kenzo Security operates. For instance, actions that may violate laws resulting in a claim solely from Kenzo Security (and not a criminal charge) may be acceptable, as Kenzo Security permits such activities (e.g., reverse engineering or bypassing protective mechanisms) to improve its systems.

  • Avoid publicly disclosing vulnerability details before the agreed-upon disclosure timeline has passed.

How to Submit a Vulnerability

To report a vulnerability to Kenzo Security's Product Security Team, please email us at: vuln-report@kenzosecurity.ai.

Preference, Prioritization, and Acceptance Criteria

We will use the following guidelines to prioritize and assess submissions:

  • Well-written reports in English are more likely to be resolved quickly.

  • Reports that include proof-of-concept code help us triage issues more effectively.

  • Submissions containing only crash dumps or automated tool outputs may be assigned a lower priority.

  • Reports on products not included in the scope of our program may be given lower priority.

  • Please include details on how you discovered the issue, its impact, and any suggestions for remediation.

  • If applicable, please indicate any plans for public disclosure.

What you can expect from Kenzo Security

  • A prompt response to your email (within 2 business days).

  • After triage, we will provide an estimated timeline and keep you informed about any challenges that could delay the resolution process.

  • Ongoing communication to discuss the vulnerability and its resolution.

  • Notifications at each stage of the vulnerability review process.

  • Recognition once the vulnerability has been validated and addressed. If communication issues arise or other difficulties prevent resolution, Kenzo Security may involve a neutral third party to assist in determining the best course of action.

Kenzo Security™ 2024

Kenzo Security™ 2024

Kenzo Security™ 2024