Krucial

VULNERABILITY
DISCLOSURE POLICY

Security is Our Priority

Krucial takes the security of our systems and customers seriously. We value the security community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Our Commitment to Researchers

When you report a vulnerability to us, we commit to

Quick Response

Quick Response

We acknowledge receipt within 5 business days and provide an initial response within 10 business days.

Safe Harbor

Safe Harbor

We will not take legal action against researchers who report vulnerabilities in good faith.

Recognition

Recognition

We'll credit you for the discovery (if you wish) after the issue is resolved.

What's in Scope

01

Hardware & Firmware

Krucial CONNECT hardware devices and their firmware components.

02

Cloud Services

Krucial cloud services and APIs (K-Cloud).

03

Web Applications

Krucial websites and web applications.

04

Mobile Applications

Official Krucial mobile applications.

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to us by emailing info@krucial.com with the subject line "Security Vulnerability Report".

Please include the following information in your report:

  • Description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Affected systems, URLs, or components
  • Any proof-of-concept code or screenshots
  • Your suggested remediation steps (if any)
  • Your contact information for follow-up

Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledge receipt of your report within 5 business days
  • Assess and provide an initial response within 10 business days
  • Keep you informed of our progress in addressing the vulnerability
  • Not take legal action against you for reporting in good faith
  • Credit you for the discovery (if you wish) after the issue is resolved
  • Work collaboratively with you to understand and resolve the issue

Guidelines for Researchers

We ask that security researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data
  • Only interact with accounts you own or with explicit permission from the account holder
  • Do not engage in any activity that could harm Krucial, our customers, or our partners
  • Refrain from disclosing the vulnerability publicly until we have had a reasonable opportunity to address it (typically 90 days)
  • Do not attempt to access, modify, or delete data belonging to others
  • Stop testing and report immediately if you encounter sensitive data

Out of Scope

The following are out of scope for this policy:

  • Physical attacks against Krucial property or offices
  • Social engineering attacks against Krucial employees
  • Denial of service (DoS/DDoS) attacks
  • Spamming or phishing attempts
  • Issues in third-party services we use
  • Vulnerabilities requiring physical access to a user's device
  • Reports from automated vulnerability scanners without manual verification

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for security research conducted in accordance with this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct under applicable computer crime laws.

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.