If you identify a vulnerability in any of our systems, we commit to:

• Acknowledging your report within 5 business days
• Working with you to validate and resolve the issue quickly
• Maintaining open communication throughout the remediation process
• Crediting you publicly (with your permission) for responsible disclosures
• Providing Safe Harbor for your responsible testing and reporting activities

To report a potential security vulnerability, please contact us at:

Please include the following information:

• Clear and concise description of the vulnerability
• Steps to reproduce the issue
• Potential impact or risk
• Proof-of-concept (PoC) code or screenshots (if available)
• The environment tested (web, mobile, etc.)
• Your contact information (if you'd like a response or credit)

This policy applies to all public-facing systems and services operated by Koluvu, including but not limited to:

• www.koluvu.com
• Subdomains under koluvu.com
• Public APIs, dashboards, login pages, and user interfaces
• Backend services interfacing with job seeker and employer data

While we appreciate all reports, the following issues are out of scope and do not qualify for acknowledgement or remediation unless they demonstrate significant real-world risk:

• Missing HTTP security headers (e.g., CSP, HSTS)
• SPF, DKIM, DMARC configurations
• Clickjacking on pages without sensitive content
• Reports from automated scanning tools without proof-of-impact
• Use of known, outdated libraries without exploitation
• Social engineering, phishing, or physical attacks
• Denial of Service (DoS), spam, or brute-force attacks

To protect our users, data, and systems, please follow these responsible testing principles:

• Do not exploit the vulnerability beyond what is necessary to prove the issue
• Do not access, copy, or modify data that is not your own
• Do not disrupt services, perform denial-of-service attacks, or impact system availability
• Do not engage in any activity that could affect other users
• Use only your own accounts or explicitly authorized testing environments for verification.

Once a report is received:

• Acknowledgement within 5 business days
• Initial assessment and reproduction (within 10 business days)
• Classification and risk analysis
• Remediation plan and deployment
• Notification to reporter upon resolution

Let us know if you'd like to remain anonymous.

We strive to fix verified issues within 30 business days, though complex issues may require more time.

We are happy to publicly acknowledge your responsible disclosure efforts on a dedicated Security Hall of Fame page, if:

• The report is valid, unique, and not previously reported
• The vulnerability is within scope
• You comply with our testing guidelines and disclosure process

Let us know if you wish to remain anonymous.

We support good faith research and responsible disclosure. If your testing and reporting complies with this policy:

• We will not take legal action against you
• We consider your testing authorized under the Computer Misuse or related laws
• We will not request law enforcement investigations for your work under this policy

However, if your actions are deemed malicious, reckless, or harmful, this protection does not apply.

For questions about this policy or other security matters, reach out to: