RESPONSIBLE DISCLOSURE

At KIUNAS, we take website security and customer privacy seriously. If you believe you have found a security vulnerability on our website, we encourage you to report it responsibly.

REPORTING GUIDELINES

• Report only valid security issues that may affect privacy, security, or website integrity.
• Provide clear details and reproducible steps so our team can review the issue.
• Do not attempt to access, modify, delete, or misuse customer data.
• Do not disrupt our website, services, checkout process, or customer experience.
• Do not publicly disclose the issue until we have reviewed and resolved it.
• Include any accidental privacy exposure or service disruption in your report.

WHAT TO INCLUDE IN YOUR REPORT

• A clear description of the vulnerability.
• Steps to reproduce the issue.
• The affected URL or page.
• Screenshots or proof of concept, if available.
• Your contact information for follow-up.

REVIEW PROCESS

We review all valid security reports. Priority is based on risk, impact, exploitability, and the quality of the report. Please understand that a response may take some time depending on the complexity of the issue.

RECOGNITION

KIUNAS may acknowledge valid security reports at our discretion. Any recognition or reward is not guaranteed and depends on the severity, impact, and usefulness of the report.

The following examples may help guide report severity:

Critical Severity

• Remote code execution
• Remote shell or command execution
• Authentication bypass
• SQL injection exposing sensitive data
• Full unauthorized account access

High Severity

• Disclosure of sensitive internal data
• Stored XSS affecting other users
• Local file inclusion
• Insecure handling of authentication cookies

Medium Severity

• Business logic flaws
• Insecure direct object references
• Improper access controls

Low Severity

• Open redirects
• Reflected XSS with limited impact
• Low-sensitivity information exposure

IMPORTANT NOTICE

By submitting a report, you agree that KIUNAS may review, validate, and use the information provided to improve website security. We may also publish general information about resolved issues without exposing sensitive details.