Security Policy

Reporting A Vulnerability

If you believe you have found a security vulnerability in Kinwood, please report it to hello@kinwood.co. Include clear reproduction steps, affected URLs, and any proof-of-concept details needed for validation.

Our Commitment

We review all legitimate reports as quickly as possible, work to validate findings, and prioritize fixes based on severity and user impact. We may contact you for additional technical details during triage.

Scope

• Public web properties under kinwood.co
• Public APIs and endpoints exposed by Kinwood-owned services

Out Of Scope

• Social engineering, phishing, or physical attacks
• Denial-of-service testing, traffic flooding, or resource exhaustion
• Automated high-volume scanning that impacts service availability
• Issues requiring compromised third-party accounts

Responsible Disclosure Guidelines

• Do not access, modify, or delete user data.
• Do not publicly disclose vulnerabilities before we confirm remediation.
• Only perform the minimum testing needed to demonstrate impact.

Safe Harbor

We will not pursue legal action against security researchers acting in good faith and in accordance with this policy. Testing must avoid privacy violations, service disruption, and data destruction.