Skip to content

Vulnerability disclosure

We welcome reports of security vulnerabilities in software we publish, services we operate, or deliverables we have shipped under an active engagement.

Reporting

Email: [email protected]

This is the company's official inbox, used as the only channel for both routine and security communication. PGP key available on request for any vulnerability that has not yet been remediated; please use encrypted email for sensitive reports.

Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce, or a proof-of-concept where one can be provided safely.
  • The affected asset (URL, repository, or system identifier).
  • Whether the issue has been disclosed elsewhere.

Scope

In scope:

  • This site (docs.happykokoro.com).
  • Public software we publish under our name.
  • Any deliverable we have shipped under an active engagement, when reported by the customer organization or by a researcher authorized by the customer.

Out of scope:

  • Vulnerabilities in third-party services or libraries we integrate against. Report those directly to the upstream vendor; we will coordinate if a patch is required in our integration.
  • Theoretical issues without practical exploitability.
  • Reports generated solely by automated scanners without manual validation.
  • Social-engineering attempts against personnel.

Response

  • Acknowledgment within 2 business days of receipt.
  • Triage and severity assessment within 5 business days.
  • Remediation plan or mitigation within 10 business days for confirmed issues. Critical-severity issues prioritized.
  • Status updates every 10 business days while a confirmed issue is open.

Safe harbor

We will not pursue legal action against researchers who:

  • Report in good faith.
  • Access only the data necessary to demonstrate the issue.
  • Do not modify, exfiltrate, or destroy data.
  • Do not perform attacks that degrade service availability.
  • Give us a reasonable opportunity to remediate before public disclosure.

Disclosure

We follow coordinated disclosure. Default public-disclosure window is 90 days from initial report; earlier public disclosure by mutual agreement once a fix is deployed.

No public bounty

We do not currently operate a public bug bounty program. Recognition or honorarium may be offered at our discretion for high-impact reports.