Skip to main content

09 · Responsible Disclosure

Report a flaw.
Official framework.

Responsible vulnerability disclosure policy. MyKonci thanks the security research community for its contribution to the platform's protection.

Last updated · 2 April 2026

01Our commitment

MyKonci recognises the importance of security researchers' work and commits to:

  • Take every report seriously and respond as quickly as possible.
  • Keep the researcher informed of the handling progress.
  • Publicly credit the researcher (if desired) once the vulnerability is fixed.
  • Not to pursue legal action against a researcher who respects this policy (safe harbor).

02Scope

In scope:

  • mykonci.com and all its active sub-domains.
  • The MyKonci API and its public endpoints.
  • The application dashboard.

Out of scope:

  • Our sub-processors' sites and services (Hetzner, OpenAI, Stripe, Twilio, etc.): report directly to the sub-processor concerned.
  • Denial-of-service attacks (DDoS, flood).
  • Purely theoretical reports without technical demonstration of impact.
  • Social engineering against employees or customers.
  • Vulnerabilities requiring physical access to systems.
  • Attacks on the host's physical infrastructure.

03Rules

To be protected by the safe harbor policy, the researcher must:

  • Report the vulnerability privately via the channel indicated below.
  • Give MyKonci a reasonable time to fix before any public disclosure (90 days by default, negotiable).
  • Not exploit the vulnerability beyond what is strictly necessary to demonstrate it.
  • Not access, modify or delete data that does not belong to them.
  • Not attempt to extract bulk data, even if technically feasible.
  • Not use the vulnerability for personal or commercial purposes.
  • Comply with applicable law.

04How to report

Send an email to security@mykonci.com with the following information:

  • Clear description of the vulnerability.
  • URL(s) and component(s) concerned.
  • Detailed reproduction steps.
  • Estimated potential impact.
  • Any useful proof of concept (PoC), respecting the rules above.
  • Your contact details and whether you would like public credit (name, handle, link).

For sensitive reports, you can encrypt your message with our PGP key available on request at the same address.

05Our response commitment

  • Acknowledgement: within 48 hours.
  • Initial diagnosis: within 7 business days.
  • Fix: depending on severity, from a few days (critical) to 90 days (low).
  • Follow-up: regular communication with the researcher until the fix.
  • Coordinated disclosure: coordinated publication after the fix, with credit to the researcher if desired.

06Recognition

Researchers whose report led to fixing a real vulnerability can be credited on a public recognition page (hall of fame) after the fix, subject to their agreement. No remuneration is paid at this stage, but MyKonci is considering setting up a bug bounty programme in the future.

07Legal framework

MyKonci commits not to pursue civil or criminal action against a researcher who respected this policy and acted in good faith. This commitment does not extend to acts going beyond the strict scope of the research (data theft, extortion, privacy breach, etc.).

08Contact

Any report or question: security@mykonci.com.