Legal · effective January 1, 2026
Responsible Disclosure Program
We take security seriously. If you find a vulnerability, please tell us first — we'll fix it, credit you, and (where the impact warrants) reward you.
Scope
In scope:
kabinet-ai.comand all its subdomains.- Our public APIs at
/api/v1/*. - Our official mobile/desktop clients (when released).
Out of scope:
- Social-engineering attacks against our staff.
- Physical attacks on our infrastructure.
- Denial-of-service or volumetric testing.
- Vulnerabilities in third-party services (please report directly to those vendors).
- Best-practice findings without demonstrable impact (missing security headers, version disclosure, etc.).
How to report
Email security@kabinet-ai.com. Encrypt sensitive content with our PGP key (fingerprint published at /.well-known/security.txt). Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce, with screenshots or a proof-of-concept where appropriate.
- Your name or handle (so we can credit you).
Our commitments
- We acknowledge every report within 2 business days.
- We provide a triage decision within 7 business days.
- We will not pursue legal action against researchers acting in good faith and within this policy.
- We will credit you publicly (with your permission) once a fix is deployed.
Rewards
We pay bounties for material vulnerabilities at our discretion. Indicative ranges:
- Critical (account takeover, RCE, data exfiltration): $1,000 – $5,000.
- High (privilege escalation, SSRF, stored XSS in production): $300 – $1,000.
- Medium (CSRF on sensitive actions, IDOR with limited blast radius): $100 – $300.
- Low: hall-of-fame credit.
Hall of fame
With your permission, researchers who help keep Kabinet safe are credited in our public acknowledgements. Email security@kabinet-ai.com with your preferred name and link.