Responsible Disclosure

k&z values the security research community. If you have discovered a vulnerability in our quantum AI infrastructure platform, we want to hear from you.

Effective Date: January 1, 2026 — Version: 1.0

1. Introduction

K&z Limited (“k&z”) takes the security of our quantum AI infrastructure platform seriously. We recognize that security researchers and the broader community play a vital role in identifying vulnerabilities and helping us maintain the security and integrity of our systems. This Responsible Disclosure Policy (“Policy”) provides guidelines for conducting security research and reporting vulnerabilities to k&z in a responsible manner.

We are committed to working with security researchers who follow this Policy, and we will not pursue legal action against individuals who discover and report vulnerabilities in good faith in accordance with these guidelines.

2. Scope

2.1 In-Scope Systems

The following systems and services are within the scope of this Responsible Disclosure Policy:

  • Web Applications: kandz.co and all subdomains (*.kandz.co), including the platform dashboard, API gateway, and documentation portal.
  • APIs: All publicly documented k&z API endpoints, including the Quantum Runtime API, Job Management API, Account Management API, and Billing API.
  • SDKs and Client Libraries: Official k&z SDKs published on PyPI, npm, and other package registries.
  • Mobile Applications: Official k&z mobile applications available on the Apple App Store and Google Play Store.
  • Authentication and Authorization Systems: Login flows, MFA implementation, OAuth/OIDC integration, API key management, and session handling.

2.2 Out-of-Scope Items

The following are explicitly out of scope and should not be tested:

  • Physical security of k&z facilities, quantum computing laboratories, and data centers;
  • Social engineering attacks against k&z employees, contractors, or clients;
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks;
  • Attacks against k&z employee or partner personal accounts or devices;
  • Third-party services and applications not owned or operated by k&z;
  • Automated vulnerability scanning that generates excessive traffic or could degrade service availability;
  • QPU hardware, cryogenic systems, and quantum control electronics (unless explicitly authorized in writing by k&z);
  • Spam or social engineering techniques (phishing, vishing, smishing); and
  • Attacks requiring physical access to k&z equipment or infrastructure.

3. How to Report a Vulnerability

3.1 Reporting Channel

Please report all security vulnerabilities to:

  • Email: support@kandz.co

For sensitive reports, we recommend encrypting your communication using our PGP public key, which is available at kandz.co/.well-known/security.txt and on public keyservers.

3.2 What to Include in Your Report

To help us understand and reproduce the vulnerability, please include the following information in your report:

  • Description: A clear and detailed description of the vulnerability, including the type of issue (e.g., XSS, SQL injection, authentication bypass, IDOR, SSRF).
  • Affected System: The specific URL, API endpoint, SDK version, or application component affected.
  • Steps to Reproduce: Detailed, step-by-step instructions to reproduce the vulnerability, including any required tools, scripts, or payloads.
  • Proof of Concept: A working proof of concept (PoC) demonstrating the vulnerability. Screenshots, screen recordings, or code snippets are helpful.
  • Impact Assessment: Your assessment of the potential impact and severity of the vulnerability, including what data or functionality could be compromised.
  • Environment Details: Browser version, operating system, network configuration, or any other environmental factors relevant to reproducing the issue.
  • Your Contact Information: A way for us to reach you for follow-up questions. You may report anonymously, but we may be unable to provide status updates or recognition without contact information.

4. Safe Harbor

4.1 Legal Protection

k&z considers security research conducted in accordance with this Policy to be authorized activity. We will not pursue civil or criminal legal action against researchers who:

  • Act in good faith and in compliance with this Policy;
  • Avoid actions that could harm k&z, our clients, or third parties;
  • Do not access, modify, or delete data belonging to other users or clients;
  • Stop testing and report the vulnerability promptly upon discovery;
  • Do not publicly disclose the vulnerability before k&z has had reasonable time to investigate and remediate; and
  • Only interact with accounts they own or have explicit permission to test.

4.2 Limitations

Safe harbor protection does not extend to:

  • Activities that violate any applicable law or regulation, including computer fraud, data protection, and export control laws;
  • Access to or exfiltration of client data, personally identifiable information, or confidential business information;
  • Actions that intentionally or recklessly degrade the availability or performance of the Services;
  • Activities conducted against out-of-scope systems as defined in Section 2.2; or
  • Disclosure of vulnerability details to third parties before k&z has confirmed remediation.

4.3 Third-Party Complaints

If a third party initiates legal proceedings against you for activities conducted in compliance with this Policy, k&z will take reasonable steps to make it known that your actions were authorized under our Responsible Disclosure program.

5. Response Timeline

k&z commits to the following response timeline for vulnerability reports:

Action Timeline
Initial acknowledgment of report Within 24 hours
Triage and severity assessment Within 3 business days
Status update to reporter Within 7 business days
Remediation of critical vulnerabilities Within 48 hours of confirmation
Remediation of high-severity vulnerabilities Within 7 days of confirmation
Remediation of medium-severity vulnerabilities Within 30 days of confirmation
Remediation of low-severity vulnerabilities Within 90 days of confirmation
Notification to reporter upon remediation Within 48 hours of fix deployment

k&z will keep reporters informed of our progress throughout the investigation and remediation process. If we need additional information to reproduce or understand the vulnerability, we will reach out promptly.

6. Recognition Program

6.1 Acknowledgment

k&z recognizes and appreciates the contributions of security researchers who help us improve the security of our platform. With the researcher’s consent, we will publicly acknowledge their contribution on our Security Hall of Fame page.

6.2 Eligibility

To be eligible for recognition, a vulnerability report must:

  • Be the first report of a previously unknown vulnerability;
  • Relate to an in-scope system as defined in Section 2.1;
  • Demonstrate a genuine security impact;
  • Be submitted in compliance with this Policy; and
  • Not be submitted by a current k&z employee, contractor, or immediate family member thereof.

6.3 Rewards

k&z may, at its discretion, offer monetary rewards or k&z platform credits for qualifying vulnerability reports. Reward amounts are determined based on the severity and impact of the vulnerability, the quality of the report, and the novelty of the finding. k&z reserves the right to determine reward eligibility and amounts in its sole discretion. Typical reward ranges are:

  • Critical: USD 2,000 – USD 10,000
  • High: USD 500 – USD 2,000
  • Medium: USD 100 – USD 500
  • Low: Public recognition and k&z platform credits

7. Researcher Guidelines

When conducting security research, please adhere to the following guidelines:

  • Only test against accounts you own or have explicit authorization to test;
  • Do not access, download, or modify data belonging to other users;
  • Minimize the amount of data accessed during testing — stop and report as soon as you have sufficient evidence to demonstrate the vulnerability;
  • Do not perform destructive testing or actions that could impact service availability;
  • Do not use automated scanning tools without rate limiting that could degrade service performance;
  • Respect user privacy and do not collect or store personal information of other users;
  • Do not exploit the vulnerability beyond what is necessary to demonstrate its existence; and
  • Coordinate with k&z on disclosure timing — we request a minimum of ninety (90) days to remediate before public disclosure.

8. Coordinated Disclosure

k&z follows a coordinated disclosure approach. We request that researchers refrain from publicly disclosing vulnerability details until we have had the opportunity to investigate and remediate the issue. We commit to working with researchers to establish mutually agreed-upon disclosure timelines. In general, we target public disclosure within ninety (90) days of the initial report, or sooner if a fix has been deployed.

9. Contact

For all security vulnerability reports and related inquiries:

  • Email: support@kandz.co
  • PGP Key: Available at kandz.co/.well-known/security.txt
  • Security Page: Security Overview

For non-security-related inquiries, please contact our general support team at support@kandz.co.