Konduit Vulnerability Disclosure Policy

Last updated: 2026-04-26

We welcome security research conducted in good faith. This policy explains what's in scope, how to report, and what we commit to in return.

Reporting a vulnerability

Email: security@konduit.punkter.app
Acknowledgement target: 5 business days
Initial assessment target: 14 business days

Include in your report:

• Affected URL or endpoint
• Steps to reproduce
• Impact assessment (what could an attacker achieve?)
• Your name and contact (or pseudonym for hall of fame, if you'd like recognition)

In scope

• konduit.punkter.app (production web app)
• api.konduit.punkter.app (production API)
• Any subdomain ending .konduit.punkter.app

Out of scope

• Hetzner infrastructure (report to Hetzner directly)
• Stripe / Resend / Keycloak / GitHub services (report to vendor)
• Social engineering of Konduit personnel
• Physical attacks
• Denial-of-service attacks
• Issues in third-party dependencies (report upstream first; we'll coordinate)
• Email spoofing if SPF/DKIM/DMARC pass

Safe harbour

If you make a good-faith effort to comply with this policy during your research, Konduit will:

• Not pursue legal action against you under Swedish penal code Ch. 4 §9c (computer trespass) or related statutes
• Work with you to understand and resolve the issue quickly
• Recognise your contribution publicly (with your permission) if you wish

"Good-faith effort" means:

• You did not access, modify, exfiltrate, or destroy data beyond the minimum needed to demonstrate the vulnerability
• You did not target other Konduit users
• You did not use the vulnerability for personal gain
• You reported promptly via the channel above
• You gave us a reasonable disclosure window before going public (90 days default; we'll discuss extensions for high-impact issues)

What we commit to

• Acknowledge your report within 5 business days
• Provide an initial assessment within 14 business days
• Keep you informed during remediation
• Credit you publicly with your permission
• Not pursue legal action for good-faith research per safe harbour above

What we ask

• Use only the in-scope assets
• Don't access data beyond what's needed to demonstrate the issue
• Don't disrupt service for other users
• Give us a reasonable window before public disclosure (90 days default)
• Don't sell or share the vulnerability with third parties before coordinated disclosure

Bug bounty

We do not currently offer monetary bounties. We offer recognition, coordination, and our gratitude.

Severity scale

We use CVSS v3.1 to rate severity. Patch SLA:

• Critical (CVSS 9.0+): patched within 7 days
• High (CVSS 7.0–8.9): within 30 days
• Medium (CVSS 4.0–6.9): within 90 days
• Low (CVSS < 4.0): next release

Contact

security@konduit.punkter.app
For non-vulnerability security questions: compliance@konduit.punkter.app