Security Policy

Effective Date: January 30, 2026

We take the security of Kuku seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.

1. Reporting Security Vulnerabilities

Please report security vulnerabilities by email to security@kuku.mom.

Do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

2. What to Include in Your Report

Please provide detailed information to help us understand and reproduce the issue:

  • — Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
  • — Detailed description of the vulnerability
  • — Step-by-step instructions to reproduce the issue
  • — Proof of concept code or screenshots
  • — Impact assessment (what an attacker could achieve)
  • — Affected versions or components

The more details you provide, the faster we can triage and fix the issue.

3. What NOT to Report (Out of Scope)

The following issues are considered out of scope:

  • — Social engineering attacks
  • — Phishing attacks
  • — Spam or content injection
  • — Denial of service attacks
  • — Known issues already listed in our public issue tracker
  • — Issues in third-party services we don't control

4. Responsible Disclosure

We kindly ask that you:

  • — Give us reasonable time to investigate and fix the issue before public disclosure
  • — Do not access or modify user data beyond what's necessary to demonstrate the vulnerability
  • — Do not perform actions that could harm our users or degrade service quality
  • — Do not publicly disclose the vulnerability until we've addressed it

5. Recognition

We do not offer a bug bounty program. However, we recognize and appreciate security researchers who help us keep Kuku secure.

Valid reports may be recognized in our Hall of Fame (coming soon). We'll publicly acknowledge researchers who discover and responsibly disclose security issues, unless you prefer to remain anonymous.

6. No Automated Scanning

Please do not run automated vulnerability scanners against our production services. Automated scans can cause service degradation for our users.

If you believe automated scanning is necessary, please contact us first to discuss appropriate testing methodology.

7. Legal Safe Harbor

We will not pursue legal action against security researchers who:

  • — Act in good faith
  • — Follow this responsible disclosure policy
  • — Do not violate any laws in the process
  • — Do not access or modify user data beyond what's necessary

This safe harbor applies only to security research activities conducted in accordance with this policy.

8. Contact

For security vulnerabilities: security@kuku.mom

For general questions: support@kuku.mom