Security
Responsible disclosure for security researchers and the broader community.
If you believe you have found a security vulnerability in KlarFort (the mobile app, this website, or any subdomain of klarfort.com), we would like to hear from you. We treat every report with care and respond to every valid submission.
Report a vulnerability
[email protected]For routine product or privacy questions, please use [email protected] instead.
Scope
The following are in scope for responsible disclosure:
- The KlarFort mobile application (current public release).
- This website at klarfort.com and any subdomain of klarfort.com.
The following are out of scope:
- Issues on third-party platforms or services we do not operate (mobile app stores, our hosting provider, the AI provider used by opt-in features). Please report those to the respective vendor.
- Volumetric denial-of-service attacks, social-engineering, or physical-access attacks.
- Reports generated solely by automated scanners without proof of concept.
- Vulnerabilities that require physical control of an unlocked device.
What to include
Please include enough detail for us to reproduce the issue:
- A clear description of the vulnerability and its impact.
- Steps to reproduce, including any required environment or test data.
- Affected version, build number, or commit (if known).
- Proof-of-concept payload or screenshot if applicable.
Do not exfiltrate, retain, share, or modify user data beyond what is strictly required to demonstrate the issue. Do not run automated tests that could degrade the service for other users.
Our commitment
- We will acknowledge receipt within five business days.
- We will keep you informed as we triage and remediate.
- We will not pursue legal action against researchers who follow this policy in good faith.
- With your permission, we will credit you publicly once the issue is resolved.
Please give us a reasonable window (typically 90 days) to address valid reports before any public disclosure. We will work with you on an appropriate timeline if the issue requires longer.
PGP / signed reports
If you prefer to encrypt your report, mention this in your initial email and we will respond with a current public key. Plain-text email to the address above is also acceptable.