K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / disclosure (CVD) / en

Coordinated Vulnerability Disclosure Policy

K0NSULT's Coordinated Vulnerability Disclosure (CVD) policy. This is the first thing a serious security researcher checks when assessing whether an organization is credible: is there somewhere to report, is good-faith activity protected, and what is in scope. Aligned with ISO/IEC 29147 (disclosure) and ISO/IEC 30111 (vulnerability handling).

Report in good faith — we will not pursue you. You get an acknowledgement within 72h.

We authorize security testing within the boundaries of this policy and commit to act in good faith toward researchers who act in good faith toward us. This policy is a real organizational commitment LIVE, not a marketing statement.

CVD: REPORTACK 72hTRIAGEFIXVALIDATIONCREDITCOORDINATED DISCLOSURE
Testing scope. This policy authorizes testing only within the in-scope targets described below and only via non-invasive methods (no DoS, no data exfiltration, no destruction). Broader or deeper testing (e.g. red team, authorized data testing, load) requires separate Rules of Engagement (RoE) and written consent — see engagement / RoE. Monetary rewards: see bug bounty ROADMAP.

1 · Our commitment LIVE

We accept vulnerability reports from any researcher and treat them seriously. We commit to:

Evidence-first. Every accepted vulnerability receives an evidentiary status and is closed only after proof of remediation (validation). The same claim ≤ proof doctrine that governs the entire ipIII portal governs the handling of reports.

2 · Safe Harbor — legal protection for the researcher LIVE

If you act in good faith and within the boundaries of this policy, we consider your activities authorized. Specifically:

Test authorization

In-scope testing performed in line with the rules below is treated as permitted — not as unauthorized access.

No prosecution

We will not report you to law enforcement nor pursue a civil claim for activity consistent with the policy.

Good faith

If you accidentally exceed scope but immediately stop, report, and do not exploit the access — we will treat it as good-faith activity.

Legal cooperation

If a third party takes action against you for conduct consistent with this policy, we will confirm it was authorized.

Safe harbor boundaries. Protection does not cover: violating the privacy of real users, destroying or modifying data, disrupting services (DoS), extortion, disclosing a vulnerability before remediation without agreement, or acting out of scope. Safe harbor does not waive third-party rights or mandatory applicable law.

3 · Scope SCOPE

In-scope YES

• Web application k0nsult.cloud and its public subdomains

• Public API k0nsult.cloud/api/*

• Authentication, authorization, access control (IDOR/BOLA)

• Injections (SQLi, XSS, SSRF, prompt injection into AI functions)

• Data disclosure, misconfiguration, secret exposure

Out-of-scope NO

• Volumetric attacks / DoS / DDoS, stress and load tests

• Social engineering of staff, phishing, vishing, pretexting

• Physical attacks on offices, hardware, personnel

• Testing on real user accounts / data without consent

• Spam, automated scanners generating noise without verification

• Vulnerabilities solely in third-party dependencies with no impact on us

Minimal-impact principle. If a test may compromise availability, data integrity, or user privacy — do not run it. Stop and ask through the contact channel.

4 · How to report LIVE

The contact channel is published in the security.txt standard (RFC 9116):

# https://k0nsult.cloud/.well-known/security.txt
Contact: mailto:security@k0nsult.cloud
Policy: https://k0nsult.cloud/ai-truth/ipIII/disclosure
Preferred-Languages: pl, en
Canonical: https://k0nsult.cloud/.well-known/security.txt

Preferred report template (the more complete, the faster the triage):

Title — one-sentence description (vulnerability type + component).
Reproduction steps — numbered, deterministic, from zero to effect.
Impact — what the vulnerability actually enables (confidentiality / integrity / availability).
PoC — minimal proof: request/response, screenshot, video. No full exploitation, no exfiltration.
CVSS — proposed vector and score (v3.1/v4.0); we will verify it.
Contact + credit — how to credit you (handle/name/anonymously).

5 · Our SLA LIVE

Response clocks consistent with the vulnerability playbook (severity → time to fix):

PhaseTime targetPriority
Acknowledgement of receipt (ACK)≤ 72 business hall
Triage and initial classification≤ 5 business daysall
Critical / actively exploited fix (KEV)24–48 hP0
High fix≤ 7 daysP1
Medium fix≤ 30 daysP2
Low fix / hardening≤ 90 daysP3
Coordinated disclosureagreed, by default ≤ 90 daysall

Severity classification by CVSS vector and actual exploitability. KEV = Known Exploited Vulnerability. Process details: vulnerability playbook.

6 · Rules for the researcher RULES

Do not exfiltrate

Do not download, copy, or store data beyond the minimum necessary to prove the vulnerability.

Do not destroy

Do not modify, delete, or encrypt data. Do not disrupt service availability.

Minimal PoC

Stop at proof of concept. Do not escalate, do not pivot, do not persist access.

Privacy

Report and delete any personal data you encounter immediately. Do not browse other people's accounts.

Confidential until fixed

Do not disclose publicly before remediation and without an agreed date. Disclosure is coordinated.

One test account

Test only on your own test accounts. Zero offensive payloads in production.

Related resources

security.txt

/.well-known/security.txt — canonical contact channel (RFC 9116).

Bug bounty ROADMAP

Credit and rewards — hall of fame, criteria, tiers.

Vulnerability playbook

Handling process — triage, severity, remediation clocks (ISO 30111).

Threat intel

Threat intelligence — KEV/CVE context for prioritization.

Honest about status. This is a policy and an invitation. The commitment to accept reports, safe harbor, and the SLA are LIVE — real from the moment of publication. In-scope testing is authorized by this policy; broader, deeper, or invasive testing requires separate Rules of Engagement (RoE / engagement). A monetary reward program is in preparation ROADMAP — credit is available right away.

Scope — in-scope / out-of-scope / prohibited

AreaStatus
k0nsult.cloud — public static pagesin-scope (passive / low-impact)
/ai-truth/ipIII/sentinel and exercise pagesin-scope (demo only)
/api/*out-of-scope (unless explicitly invited)
Login / admin panelsout-of-scope
Production data / personal dataout-of-scope
Third-party servicesout-of-scope
DoS / load testingPROHIBITED
Social engineering (staff)PROHIBITED
Physical attacksPROHIBITED
Data exfiltrationPROHIBITED
Privacy violationPROHIBITED
Safe harbor — conditional. Legal protection applies only to activities conducted in accordance with this policy: no harm, no exfiltration, no privacy violation, and no exceeding of scope. Exceeding scope or using prohibited techniques voids safe harbor. Broader testing — only after a signed RoE.