Responsible Vulnerability Disclosure Policy
Effective date: July 1, 2026 · Version 1.0
1. Scope
This policy covers the Kairon desktop browser, kaironbrowser.com and subdomains, and the extension store backend. It does not cover third-party extensions, which should be reported to their respective developers.
2. How to report
Email security@kaironbrowser.com with a description of the issue, steps to reproduce, and any proof-of-concept code. Encrypt sensitive reports using our published PGP key, linked from this page.
3. Our commitments
- Acknowledge new reports within 3 business days
- Provide a status update at least every 10 business days until resolution
- Not pursue legal action against good-faith researchers who follow this policy
- Credit researchers who wish to be named, once a fix ships
4. What we ask
Give us a reasonable window to fix the issue before public disclosure, avoid accessing or modifying user data beyond what's needed to demonstrate the vulnerability, and test only against accounts and data you own.
5. Rewards
Kairon does not currently operate a paid bug bounty, but exceptional reports may be recognized with a public acknowledgment on our Security Hall of Fame page, at the reporter's option.