Security & Responsible Disclosure

Effective 2026-07-07 · Version 1.0

Kuhukoo takes the security of our customers' data seriously. If you believe you've found a vulnerability in our service, please tell us — we'll investigate and respond in good faith.

1. Reporting a vulnerability

Email security@kuhukoo.com with a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept material. Please avoid public disclosure until we've had a chance to respond.

Response commitment: we respond within 48 hours to legitimate reports.

2. Scope

In scope:

Out of scope:

3. Safe harbor

We will not pursue legal action against researchers who report vulnerabilities responsibly and in good faith. We appreciate your help keeping Kuhukoo secure.

4. How we handle your data

5. Compliance status

Kuhukoo is currently pursuing Google CASA Tier 2 certification through TAC Security, a Google Preferred ADA CASA Assessor. Certification is expected within 4–6 weeks of engagement.

6. Contact

Machine-readable disclosure info is available at /.well-known/security.txt (RFC 9116).