| Version | Supported |
|---|---|
Latest (main) |
Yes |
| Older commits | No |
Do NOT open a public issue for security vulnerabilities.
Send an email to security@kopern.ai with:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment (what an attacker could do)
- Any suggested fix
- 48 hours — Acknowledgment of your report
- 7 days — Assessment and severity classification
- 30 days — Fix deployed (critical/high severity)
In scope:
- Authentication bypass
- Data exposure (access to other users' data)
- Injection vulnerabilities (XSS, SQL injection, command injection)
- Server-Side Request Forgery (SSRF)
- Privilege escalation
- API key leakage
- Webhook signature bypass
Out of scope:
- Social engineering attacks
- Denial of service (DoS/DDoS)
- Vulnerabilities in third-party dependencies with no exploit path
- Issues already reported and being fixed
- Rate limiting bypass (already logged and monitored)
We credit researchers in our changelog (with permission). No bug bounty program at this time.