Security

Vulnerability Disclosure Policy

Effective Date: April 25, 2026

At Kultur.dev (operated by Global InTech AS), we take the security of our platform, users, and data seriously. We welcome and appreciate responsible security research conducted by the community. This policy outlines how to report vulnerabilities and what you can expect from us in return.

Scope

This policy applies to the following assets owned and operated by Kultur.dev:

  • kultur.dev (website and web application)
  • api.kultur.dev (API endpoints and MCP Server)
  • Any subdomains of kultur.dev

The following are explicitly out of scope:

  • Third-party services and integrations not operated by Kultur.dev
  • Social engineering attacks against Kultur.dev employees or contractors
  • Denial-of-service (DoS/DDoS) attacks
  • Physical security attacks
  • Automated vulnerability scanning that generates excessive traffic

How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us by emailing:

[email protected]

Please include the following information in your report:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

Our Commitment

When you submit a vulnerability report, we commit to:

  • Acknowledging receipt of your report within 3 business days
  • Providing an initial assessment within 10 business days
  • Keeping you informed of our progress toward resolving the issue
  • Crediting you publicly (if desired) once the vulnerability is resolved
  • Not pursuing legal action against researchers who follow this policy

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against you, provided that you:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Only interact with accounts you own or have explicit permission to test
  • Do not access, modify, or delete data belonging to other users
  • Stop testing and report immediately upon discovery of a vulnerability
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (minimum 90 days)
  • Comply with all applicable laws

Recognition

We believe in recognizing the contributions of security researchers. While we do not currently operate a paid bug bounty program, we offer:

  • Public acknowledgment on our Security Hall of Fame (with your permission)
  • A letter of appreciation for verified, responsibly disclosed vulnerabilities
  • Early notification of resolution and patch details

Contact

Email

[email protected]

Response Time

Within 3 business days

Preferred Language

English

PGP Key

Available upon request

This policy is subject to change. The latest version will always be available at https://kultur.dev/security.