Skip to content
KOLOSALTech
FR
Responsible disclosure

Responsible disclosure policy.

How to report a security vulnerability to us. Commitment, legal framework, response timelines.

KOLOSALTech commitment

We take the security of our website, our services and our clients very seriously. If you discover a vulnerability, we encourage you to report it to us responsibly. In return, we commit to responding to you quickly, fixing the issue, and thanking you publicly (with your consent).

Scope

In-scope:

  • kolosaltech.com and all subdomains
  • Public APIs exposed on /api/*
  • Software components and associated configurations

Out of scope:

  • Third-party vendor vulnerabilities (Vercel, Resend, Airtable, etc.) — report them directly to them
  • Denial-of-service attacks (DoS / DDoS)
  • Social engineering against our staff
  • Physical access to our premises or equipment
  • Destructive testing or exfiltration of real data

How to report

Send your report to:

security@kolosaltech.com

For encrypted reporting: PGP key available on request at this same address.

Your report should include:

  • A clear description of the vulnerability
  • Reproduction steps (minimal PoC)
  • Potential impact (who, what, how)
  • A suggested fix if you have one
  • Your contact details (email, handle, optional public link)

Response commitments

  • Acknowledgement of receipt within 48 business hours
  • Initial assessment within 5 business days (criticality + action plan)
  • Fix: critical within 7 days, high within 30 days, medium/low within 90 days
  • Post-fix notification: we notify you as soon as the fix is in production
  • Public recognition in our Hall of Fame (if you wish) once the fix is deployed

Rules of good conduct

  • Test only on your own accounts / data — no attempt to access other users' data
  • Do not modify or delete any data
  • Do not disrupt the service (no DoS/spam, etc.)
  • Do not disclose publicly before we have fixed the issue (embargo period: 90 days from the report, negotiable)
  • Comply with applicable French and European law (Godfrain Act, GDPR)

Safe Harbor

If you follow this policy in good faith to report a vulnerability, we commit not to pursue legal action against you, in accordance with the French responsible disclosure framework (Digital Republic Act, art. L.2321-4 CSI).

Hall of Fame

No report received to date. You could be the first!

Bug bounty

KOLOSALTech does not run a monetary bug bounty program to date. We are considering launching a Yes We Hack or Intigriti program during 2026. Public recognition and goodies for valid reports in the meantime.

Policy compliant with the RFC 9116 standard and ANSSI recommendations.

security.txt available: /.well-known/security.txt