Security & Responsible Disclosure
Effective 2026-07-07 · Version 1.0
Kuhukoo takes the security of our customers' data seriously. If you believe you've found a vulnerability in our service, please tell us — we'll investigate and respond in good faith.
1. Reporting a vulnerability
Email security@kuhukoo.com with a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept material. Please avoid public disclosure until we've had a chance to respond.
Response commitment: we respond within 48 hours to legitimate reports.
2. Scope
In scope:
- kuhukoo.com and dev.kuhukoo.com
- Kuhukoo application APIs (all endpoints under
/api) - OAuth flows and platform-connection endpoints
Out of scope:
- Third-party platforms (Meta, TikTok, Google/YouTube) — please report vulnerabilities in those platforms directly to them
- Rate limiting on public marketing pages
- Social-engineering attacks against Kuhukoo staff
- Physical security of Kuhukoo infrastructure providers
3. Safe harbor
We will not pursue legal action against researchers who report vulnerabilities responsibly and in good faith. We appreciate your help keeping Kuhukoo secure.
4. How we handle your data
- OAuth tokens for connected platforms are encrypted at rest with AES-256-GCM (versioned with an
enc:v1:prefix so future key rotation is possible without a re-encryption downtime). - TLS 1.3 for all traffic. Certificates are issued and rotated by Let's Encrypt.
- Passwords are hashed with bcrypt (cost factor 12). We never store or log plaintext passwords.
- No customer PII is shared with third parties beyond the platform APIs required to publish your scheduled content.
- Audit logs are written for all authentication events, connection create/disconnect/refresh events, and password resets. Retention: 12 months.
5. Compliance status
Kuhukoo is currently pursuing Google CASA Tier 2 certification through TAC Security, a Google Preferred ADA CASA Assessor. Certification is expected within 4–6 weeks of engagement.
6. Contact
- Legal entity: Taaj Singh OPC Private Limited (trading as Taaj Labs)
- Registered: Ludhiana, Punjab, India
- Security reports: security@kuhukoo.com
- General inquiries: contact@taajlabs.com
Machine-readable disclosure info is available at /.well-known/security.txt (RFC 9116).