Disclosure Policy

Reporting a vulnerability.

If you have found a security issue in a KG3N Dynamics system, this page tells you how to tell us - and what we promise in return. Last updated 20 April 2026.

1. Our stance

We treat coordinated vulnerability disclosure as a two-way street. We perform research on other people's systems under the principles published on our research page; we accept research on our own systems under the same principles. Good-faith reports are welcomed, acknowledged, and acted on.

2. In scope

The following systems and surfaces are in scope for security research:

  • kg3n.com and any subdomain we operate (*.kg3n.com)
  • Any free tool we publish for download (PacketLock, ZeroTrustEncryptor, KG3N Sentinel, SVG PAYE Tax Calculator)
  • Our published source code where applicable

3. Out of scope

The following are explicitly out of scope. Reports of these will be acknowledged but not prioritised, and they do not qualify for the safe-harbour terms in §4:

  • Denial-of-service attacks (volumetric, resource-exhaustion, slowloris, etc.)
  • Social engineering of staff, contractors, or anyone else
  • Physical security of infrastructure or premises
  • Any testing of third-party services we depend on (Hostinger, Let's Encrypt, MEGA, etc.) - report those to the third party directly
  • Findings whose only impact is informational (missing security headers on static pages, banner-grabbing, theoretical CSP weaknesses with no exploit chain)
  • Spam, abuse, or content moderation issues - those go to support@kg3n.com as ordinary feedback

4. Safe harbour

If you discover a vulnerability in scope (§2) and follow the rules below, KG3N Dynamics will:

  • Treat your research as authorised under our Acceptable Use terms
  • Not pursue civil action against you
  • Not refer the matter to law enforcement
  • Work in good faith to remediate within a reasonable timeframe

To stay covered by safe harbour, you must:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Use only the access strictly required to demonstrate the vulnerability - no bulk data exfiltration, no lateral movement beyond what the finding strictly needs
  • Report the issue privately to us first and give us a reasonable window (we suggest 90 days) before any public disclosure
  • Stop testing as soon as you have proof, and delete any data you incidentally accessed during research once your report has been confirmed
  • Not attempt to access, modify, or delete data belonging to other users
  • Comply with all applicable laws

Safe harbour does not extend to violations of the §3 out-of-scope items, or to actions that go beyond what is necessary to demonstrate the vulnerability.

5. How to report

Send a report by email to support@kg3n.com with the subject line prefixed [Security]. Please include:

  • The affected system or URL
  • The vulnerability class (e.g. authentication bypass, IDOR, injection, etc.)
  • Reproduction steps with the minimum proof of impact
  • Your suggested severity rating (CVSSv3 if you have one, or a brief impact statement)
  • Any preferred name or handle for acknowledgment, if you would like to be credited publicly after remediation

For sensitive reports, request our PGP key in your initial email and we will provide it before you send any technical detail. Encrypted reports are preferred for anything involving live credentials, customer data, or proof-of-concept code.

Our security contact is also published in machine-readable form here per RFC 9116.

6. What we will do

  • Acknowledge your report in writing within 72 hours of receipt
  • Confirm or dispute the finding within 10 business days
  • Provide a remediation timeline once we have triaged the issue
  • Keep you informed of progress at reasonable intervals
  • Credit you publicly (with your permission) once the issue is fixed
  • Not name you, your employer, or your tooling without your written permission

7. What we will not do

  • Pay a monetary bounty - we are a small independent practice and do not run a paid programme. Acknowledgment, credit, and the satisfaction of an actually-fixed bug are what we offer.
  • Demand that you sign an NDA as a condition of accepting your report
  • Sit on a critical finding indefinitely - if remediation will exceed 90 days for legitimate engineering reasons, we will explain why
  • Publicly disparage, shame, or take retaliatory action against good-faith researchers

8. If we disagree

If you believe we have mis-classified a finding, mishandled a report, or breached this policy, please reply to the original thread asking us to reconsider. If we still cannot reach agreement, you are free to escalate via responsible-disclosure channels or to publish after the disclosure window has elapsed - we ask only that you continue to follow the §4 conditions.

9. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Reports submitted under a previous version of this policy will be honoured under the version in force at the time of submission.

10. Contact

Email support@kg3n.com with [Security] in the subject line. Our machine-readable security contact is also published here.