Security Policy

Security is a top priority at OpenKagi. We appreciate the security research community's efforts in helping us maintain a secure platform for all users.

Reporting Security Vulnerabilities

We take all security vulnerabilities seriously. If you discover a security vulnerability within OpenKagi, please report it to us responsibly.

How to Report

  1. 1.Email us at security@openkagi.com
  2. 2.Include a detailed description of the vulnerability
  3. 3.Provide steps to reproduce the issue
  4. 4.Include any relevant proof-of-concept code
  5. 5.Allow us reasonable time to respond and fix the issue

Note: Our Proton Mail inbox is NOT monitored daily. For urgent issues, please also send a notification to security@openkagi.com so we know to check immediately.


Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledge receipt of your report within 48 hours
  • Provide an estimated timeline for addressing the vulnerability
  • Keep you informed about our progress
  • Credit you for the discovery (unless you prefer to remain anonymous)
  • Not pursue legal action against you for responsibly disclosing the issue

Scope

✅ In Scope

  • • The OpenKagi web application
  • • Our public API endpoints
  • • Authentication and authorization
  • • Data validation and sanitization
  • • Session management

❌ Out of Scope

  • • Physical attacks or social engineering
  • • Denial of Service (DoS) attacks
  • • Excessive automated scanning
  • • Third-party services or websites
  • • Accessing other users' data

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized concerning any applicable anti-hacking laws
  • Exempt from restrictions in our Terms of Service
  • Lawful, helpful, and conducted in good faith

You are expected to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will make it known that your actions were conducted in compliance with this policy.


Contact

Security Inbox: security@openkagi.com

Encrypted Reports: openkagi@protonmail.com (NOT monitored daily, please send a bump to security@openkagi.com for anything urgent asking us to check our Proton Mail.)

For general inquiries, please use hello@openkagi.com

Last updated: August 29, 2025

This policy is also available in machine-readable format at /.well-known/security.txt