Vulnerability Disclosure Policy

April 17, 2026

Introduction

At KAST, we value the work of independent security researchers who help us maintain the security of our platform and protect our users. If you believe you have discovered a security vulnerability in a KAST product or service, we encourage you to report it to us according to the guidelines below.

Scope

This policy applies to the following assets:

  • Official Website: kast.xyz and subdomains
  • Applications: KAST mobile applications
  • Infrastructure: KAST owned APIs and services

Out of Scope

Any third-party services, social engineering, denial of service (DoS/DDoS) attacks, automated scanning that generates significant traffic, and physical attacks against KAST property or employees are strictly out of scope.

Rules of Engagement

To qualify for protection under this policy, we ask that you:

  • Act in good faith: Avoid privacy violations, degradation of user experience, and disruption to our production systems.
  • Protect User Data: Do not access, modify, or delete data belonging to other users. If you inadvertently access user data, stop testing immediately and report what you have discovered.
  • Maintain Confidentiality: You must keep all information about a discovered vulnerability confidential and must not disclose any such information to any third party or the public without the express prior written consent of KAST. This non-disclosure obligation remains in effect even after KAST has remediated the issue.
  • Maintain Legal Compliance: Comply with all applicable laws and regulations during your research.

Testing must not result in the storage, transfer, or exfiltration of KAST data.

How to Report

Please submit your findings to security@kast.xyz. For a timely evaluation, your report should include:

  • A clear and concise description of the vulnerability.
  • Step-by-step instructions (or a Proof of Concept script) to reproduce the issue.
  • Any supporting material (screenshots, logs, or network traces).
  • Your preferred contact details and/or alias for acknowledgement.

Note: Do not include sensitive data belonging to other users in your report.

By submitting a report to KAST, you grant KAST a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to use, review, and implement the information provided in your report for any purpose. You represent that your report is your original work and that you have the right to grant these rights.

Our Commitment

If you follow this policy, KAST commits to the following:

  • Acknowledgement: We will acknowledge receipt of your report within 5 business days.
  • Transparency: We will keep you informed of our progress where practical.
  • Safe Harbor: We will not pursue legal action against researchers who comply with the terms of this policy.
  • Recognition: With your consent, we may acknowledge your contribution on a Security Acknowledgements page.

Safe Harbor & Protection

KAST considers security research activities conducted in strict compliance with this policy to be "authorized" conduct. KAST will not initiate legal action against researchers for sensitive security research that is performed in good faith and adheres to all terms outlined herein.

Conditions of Safe Harbor

This protection is strictly contingent upon your full compliance. This Safe Harbor does not apply, and KAST reserves all legal rights, if the researcher:

  • Engages in any activity that is outside the defined Scope or violates the Rules of Engagement.
  • Attempts to extort KAST or demands payment as a condition for disclosing the vulnerability.
  • Publicly discloses the vulnerability (or any associated data) without KAST’s express written consent.
  • Violates any law.
  • Disrupts KAST services.

KAST cannot and does not authorize security research on third-party infrastructure, services, or applications used by KAST. Any research on third-party systems is at the researcher's own risk, and KAST’s Safe Harbor does not extend to third-party legal claims.

Compensation/Bounty

This is not a bug bounty programme. KAST does not offer monetary rewards, "swag," or other compensation for vulnerability reports. While we may choose to provide rewards at our sole discretion in exceptional cases, participation in this program does not create any legal right or expectation of reward. KAST reserves the right to modify or terminate this policy at any time without notice.

Limitation of Liability

Under no circumstances shall KAST be liable for any direct, indirect, incidental, or consequential damages, including but not limited to loss of data or business interruption, arising out of or in connection with a researcher's activities or the use of this policy. All research is performed at the researcher's sole risk and expense. KAST is not responsible for any expenses, losses, or damages incurred by a researcher in the course of their activities.

No Agency

This policy does not create an employment, partnership, agency, or joint venture relationship between KAST and any researcher. Participation is voluntary and does not entitle the researcher to any KAST benefits or compensation.

Termination and Modification

KAST reserves the right to modify, suspend, or terminate this policy at any time without notice. We retain sole discretion in determining whether a report is valid and whether a researcher has complied with these terms.

Entire Agreement

This policy constitutes the entire understanding between KAST and the researcher regarding vulnerability disclosures and supersedes any prior digital or oral agreements.

Get KAST
Get KAST