Security Disclosure

Reporting a Vulnerability

If you believe you have found a security issue affecting Kotao, please report it to security@kotao.com. PGP key on request. Please include enough detail for us to reproduce the issue, ideally with steps, affected URLs, and any proof-of-concept material.

Scope

In scope:

• The kotao.com domains and subdomains.
• The Kotao platform and its modules (POS, PMS, CRM, ERP, RMS, HRM, CMS, BTP, payments).

Out of scope:

• Third-party services and external infrastructure — please report directly to the relevant vendor.
• Denial-of-service attacks against production infrastructure.
• Social engineering of staff, contractors, or customers.
• Physical attacks against Kotao offices or hosting facilities.
• Issues that require privileged network access to exploit.

What to Expect

We aim to:

• Acknowledge your report within 48 hours.
• Provide a status update within five business days.
• Resolve confirmed issues on a timeline that matches their severity.

Bug Bounty

Kotao does not currently run a paid bug bounty programme. We do plan to publish a public hall-of-fame credit for the first report we acknowledge, with the reporter’s permission.

Safe Harbour

Good-faith research carried out in line with this policy will not result in legal action by Kotao. Please avoid disrupting service, accessing data that is not your own, and disclosing details publicly before we have had the opportunity to remediate.

Public Disclosure

We coordinate disclosure with reporters. Please give us a reasonable window to ship a fix before publishing details. A security.txt file at /.well-known/security.txt will be made available alongside the launch and will reference this policy.