Security & responsible disclosure
Kuulu takes the security of our verified-identity marketplace seriously. If you have found a vulnerability, we want to hear about it — this page explains how to report it and what to expect from us.
How to report a vulnerability
Email a clear description of the issue, the steps to reproduce it, and any proof-of-concept to our security team. Please do not publicly disclose the issue until we have had a chance to fix it.
Security contact: security@kuulu.ee
Our commitment
We will acknowledge your report, keep you informed of our progress, and credit you for the discovery if you wish. We ask that you act in good faith, avoid privacy violations and service disruption, and give us reasonable time to respond.
Disclosure window
We commit to a 90-day coordinated disclosure window: we will work to remediate confirmed reports within 90 days, after which details may be published. Kuulu does not run a paid bug-bounty programme in v1, but we will publicly acknowledge researchers who report valid issues.
Machine-readable contact details follow RFC 9116 and are published at /.well-known/security.txt.