Disclosure Policy

Responsible Disclosure Policy – KukuNia.com

At KukuNia, we take the security and privacy of our users very seriously. We are committed to creating a safe environment for both our customers and our community. If you’re a security researcher or a tech-savvy individual who has discovered a vulnerability in any of our platforms, we truly appreciate your efforts to act responsibly and bring it to our attention.

We encourage responsible reporting and welcome your help in keeping KukuNia secure.

Scope of the Program

This disclosure program covers both our Shopping and Parenting platforms across:

  • All platforms: Desktop website, mobile site, Android and iOS apps
  • All subdomains related to these services

NOTE:

  • A vulnerability that affects both the Shopping and Parenting sections will be treated as a single issue.
  • Bugs spanning more than one subdomain will be eligible for only one disclosure credit.
  • Any vulnerability outside our defined scope (e.g., unrelated services, 3rd-party backends) is not eligible — but we still appreciate being informed if it affects our infrastructure.

Types of Issues We Care About

We’re particularly interested in vulnerabilities that can directly impact the security or privacy of our users. These include (but are not limited to):

  • Authentication & Authorization issues
  • Insecure cryptographic implementations
  • Remote code execution
  • Injection attacks (e.g., SQL, command)
  • Cross-site scripting (XSS)
  • Server-side request forgery (SSRF)
  • Critical business logic flaws

Out of Scope (Exclusions)

We won’t consider the following issues under our responsible disclosure program:

  • SPF/DMARC misconfigurations
  • HTTP security headers
  • Automated or scanner-based reports without validation
  • Open redirects to external sites
  • Self-XSS (XSS that only affects the reporting user)
  • Vulnerabilities requiring advanced social engineering
  • Weak SSL/TLS settings without impact
  • Use of outdated libraries with no clear proof-of-concept
  • MITM attacks or physical access vulnerabilities
  • Cookie flags on non-sensitive data
  • Credential stuffing using leaked credentials
  • Lack of code obfuscation in mobile apps
  • Rate-limiting issues with no proven abuse

Note: KukuNia reserves the right to revise or update the exclusion list.

Reporting Guidelines

If you’ve found a vulnerability, here’s how to report it responsibly:

  • Email us at: security@kukunia.com with your detailed findings
  • Include:
    • A clear description of the vulnerability
    • Steps to reproduce the issue
    • Impact assessment
    • Screenshots or screen recordings (if helpful)
    • A working proof of concept (PoC)
  • Avoid actions that could disrupt our services or affect other users.
  • Do not exploit the vulnerability or access any data beyond what’s required for your proof.
  • Respect user privacy at all times.
  • Do not engage in denial-of-service (DoS), data deletion, spamming, or social engineering tactics.
  • Do not disclose the vulnerability to others or publish any write-up without our explicit permission.
  • Vulnerabilities caused by a single root cause will be considered as one issue.

Program Terms & Acknowledgment

  • By participating in this program, you agree to abide by its terms, including any updates.
  • The first valid report of a vulnerability will be credited.
  • Once the issue is verified and resolved, KukuNia may recognize your contribution with:
    • A formal appreciation email
    • A digital certificate of recognition
    • A mention on our Hall of Fame page, based on the severity of the issue
  • Final decisions on vulnerability severity and acknowledgment rest solely with the KukuNia team.

Thank You !

We sincerely value the work of ethical hackers, researchers, and the broader security community. If you’ve gone out of your way to help us build a safer platform — thank you. Your effort matters.