KodeTools
Dashboard

Security at KodeTools

We take security seriously. Report vulnerabilities responsibly and help us keep our users safe.

Security Contact

Report security vulnerabilities to:

[email protected]

Response Time

We aim to respond within:

24-48 hours

PGP Encryption

Encrypt sensitive reports:

PGP Public Key

Vulnerability Disclosure Policy

mooncloak operates a responsible disclosure program for security researchers, users, and the community to report potential security vulnerabilities in KodeTools products and services. We appreciate your efforts to responsibly disclose your findings.

What to Report

  • Authentication bypass vulnerabilities
  • Remote code execution (RCE)
  • SQL injection, XSS, CSRF
  • Privilege escalation issues
  • Data leakage or exposure
  • Cryptographic weaknesses
  • Security misconfigurations
  • Any vulnerability that could impact user security

Out of Scope

  • Social engineering attacks
  • Physical security issues
  • Denial of Service (DoS/DDoS) attacks
  • Spam or email delivery issues
  • Missing security headers (without demonstrable impact)
  • Self-XSS or clickjacking without real impact
  • Vulnerabilities in third-party services we don't control
  • Issues requiring physical access to a user's device

How to Report a Vulnerability

1

Gather Information

Document the vulnerability with as much detail as possible:

  • Description of the vulnerability
  • Steps to reproduce
  • Proof of concept (PoC) code or screenshots
  • Potential impact and severity
  • Affected versions or components
  • Any suggested remediation
2

Send Your Report

Email your findings to [email protected]

  • Use a clear subject line: "Security Vulnerability: [Brief Description]"
  • For sensitive issues, encrypt your email with our PGP key
  • Include your contact information for follow-up
  • Do NOT publicly disclose the vulnerability yet
3

Wait for Our Response

We will acknowledge your report within 24-48 hours:

  • We'll confirm receipt and provide a tracking ID
  • We may ask for additional information or clarification
  • We'll keep you updated on our progress
  • We'll work with you on a coordinated disclosure timeline
4

Coordinated Disclosure

Once the vulnerability is fixed:

  • We'll notify you when the fix is deployed
  • We'll agree on a public disclosure date (typically 90 days)
  • We'll credit you in our security advisories (if desired)
  • You may publish your findings after the agreed date

Responsible Disclosure Guidelines

Please DO

  • Report vulnerabilities privately to [email protected]
  • Give us reasonable time to fix the issue (typically 90 days)
  • Make a good faith effort to avoid privacy violations and data destruction
  • Use test accounts and test data when exploring vulnerabilities
  • Communicate with us about the disclosure timeline
  • Provide detailed steps to reproduce the issue
  • Be respectful and professional in your communications

Please DO NOT

  • Publicly disclose the vulnerability before we've fixed it
  • Access, modify, or delete other users' data
  • Perform attacks that could harm availability (DoS/DDoS)
  • Execute social engineering attacks on our employees or users
  • Demand payment or ransom for vulnerability information
  • Violate any applicable laws or regulations
  • Test in production without explicit permission for critical systems

Safe Harbor

When conducting vulnerability research according to these guidelines, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
  • Exempt from DMCA anti-circumvention provisions
  • Protected from legal action by mooncloak
  • Lawful and conducted in good faith

We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy. We consider good-faith security research to be in the best interest of our users and the security community.

Bug Bounty Program

Coming Soon

We're working on establishing a formal bug bounty program to reward security researchers who help us identify and fix vulnerabilities. This program will offer monetary rewards based on the severity and impact of reported vulnerabilities.

In the meantime: We deeply appreciate all responsible disclosures and will publicly acknowledge researchers (with permission) in our security advisories and hall of fame.

Our Security Practices

Secure Development

We follow secure coding practices and conduct regular code reviews to identify and fix vulnerabilities early.

Regular Audits

We conduct security audits and penetration testing to identify and address potential vulnerabilities.

Encryption

All data in transit is encrypted using TLS 1.3. Sensitive data at rest is encrypted using industry-standard algorithms.

Privacy-First

We collect minimal data and follow privacy-first principles. No tracking, no analytics without consent.

Regular Updates

We release security patches promptly and maintain our dependencies up-to-date to address known vulnerabilities.

Security Training

Our team receives regular security training to stay informed about the latest threats and best practices.

Security Researcher Hall of Fame

We'd like to thank the following security researchers for responsibly disclosing vulnerabilities:

Be the first to be recognized! Report a vulnerability to get listed here.

Researchers are listed with their permission. If you prefer to remain anonymous, please let us know.

PGP Public Key

For sensitive security reports, you can encrypt your email using our PGP public key. This ensures that only mooncloak security team can read your report.

Email: [email protected]
Key ID: Coming Soon
Fingerprint: Coming Soon

PGP key will be available soon. In the meantime, please send unencrypted reports to [email protected] or use the contact form for non-sensitive information.

Additional Resources

Privacy Policy

Learn how we protect your data

Terms of Service

Read our terms and conditions

Contact Us

Get in touch with our team