K0NSULT's Coordinated Vulnerability Disclosure (CVD) policy. This is the first thing a serious security researcher checks when assessing whether an organization is credible: is there somewhere to report, is good-faith activity protected, and what is in scope. Aligned with ISO/IEC 29147 (disclosure) and ISO/IEC 30111 (vulnerability handling).
We authorize security testing within the boundaries of this policy and commit to act in good faith toward researchers who act in good faith toward us. This policy is a real organizational commitment LIVE, not a marketing statement.
We accept vulnerability reports from any researcher and treat them seriously. We commit to:
Evidence-first. Every accepted vulnerability receives an evidentiary status and is closed only after proof of remediation (validation). The same claim ≤ proof doctrine that governs the entire ipIII portal governs the handling of reports.
If you act in good faith and within the boundaries of this policy, we consider your activities authorized. Specifically:
In-scope testing performed in line with the rules below is treated as permitted — not as unauthorized access.
We will not report you to law enforcement nor pursue a civil claim for activity consistent with the policy.
If you accidentally exceed scope but immediately stop, report, and do not exploit the access — we will treat it as good-faith activity.
If a third party takes action against you for conduct consistent with this policy, we will confirm it was authorized.
• Web application k0nsult.cloud and its public subdomains
• Public API k0nsult.cloud/api/*
• Authentication, authorization, access control (IDOR/BOLA)
• Injections (SQLi, XSS, SSRF, prompt injection into AI functions)
• Data disclosure, misconfiguration, secret exposure
• Volumetric attacks / DoS / DDoS, stress and load tests
• Social engineering of staff, phishing, vishing, pretexting
• Physical attacks on offices, hardware, personnel
• Testing on real user accounts / data without consent
• Spam, automated scanners generating noise without verification
• Vulnerabilities solely in third-party dependencies with no impact on us
Minimal-impact principle. If a test may compromise availability, data integrity, or user privacy — do not run it. Stop and ask through the contact channel.
The contact channel is published in the security.txt standard (RFC 9116):
# https://k0nsult.cloud/.well-known/security.txt Contact: mailto:security@k0nsult.cloud Policy: https://k0nsult.cloud/ai-truth/ipIII/disclosure Preferred-Languages: pl, en Canonical: https://k0nsult.cloud/.well-known/security.txt
Preferred report template (the more complete, the faster the triage):
Response clocks consistent with the vulnerability playbook (severity → time to fix):
| Phase | Time target | Priority |
|---|---|---|
| Acknowledgement of receipt (ACK) | ≤ 72 business h | all |
| Triage and initial classification | ≤ 5 business days | all |
| Critical / actively exploited fix (KEV) | 24–48 h | P0 |
| High fix | ≤ 7 days | P1 |
| Medium fix | ≤ 30 days | P2 |
| Low fix / hardening | ≤ 90 days | P3 |
| Coordinated disclosure | agreed, by default ≤ 90 days | all |
Severity classification by CVSS vector and actual exploitability. KEV = Known Exploited Vulnerability. Process details: vulnerability playbook.
Do not download, copy, or store data beyond the minimum necessary to prove the vulnerability.
Do not modify, delete, or encrypt data. Do not disrupt service availability.
Stop at proof of concept. Do not escalate, do not pivot, do not persist access.
Report and delete any personal data you encounter immediately. Do not browse other people's accounts.
Do not disclose publicly before remediation and without an agreed date. Disclosure is coordinated.
Test only on your own test accounts. Zero offensive payloads in production.
/.well-known/security.txt — canonical contact channel (RFC 9116).
Credit and rewards — hall of fame, criteria, tiers.
Handling process — triage, severity, remediation clocks (ISO 30111).
Threat intelligence — KEV/CVE context for prioritization.
| Area | Status |
|---|---|
k0nsult.cloud — public static pages | in-scope (passive / low-impact) |
/ai-truth/ipIII/sentinel and exercise pages | in-scope (demo only) |
/api/* | out-of-scope (unless explicitly invited) |
| Login / admin panels | out-of-scope |
| Production data / personal data | out-of-scope |
| Third-party services | out-of-scope |
| DoS / load testing | PROHIBITED |
| Social engineering (staff) | PROHIBITED |
| Physical attacks | PROHIBITED |
| Data exfiltration | PROHIBITED |
| Privacy violation | PROHIBITED |