Report a vulnerability

How to disclose a security issue in any Klyna product responsibly. Direct email is preferred. Encrypted reports welcome. We aim for first response within 48 business hours.

Updated June 10, 2026

If you find a vulnerability in the Klyna site, plugin, app, or extension, please report it privately first. We treat every report as serious.

How to reach us

  • Email security@klyna.dev.
  • Optionally encrypt with our PGP key (link on the page once published).
  • Do not open a public GitHub issue for security reports.

What to include

  1. The product and version (Klyna 1.4.2, extension 0.6.0, etc.).
  2. A short proof-of-concept or reproduction steps.
  3. Your impact assessment and any suggested fix.
  4. A handle or name for the hall of fame if you want public credit.

Our SLA

  • First response: within 48 business hours.
  • Triage: within 5 business days.
  • Patch released: within 90 days for high-severity issues, sooner where possible.

Safe-harbor

Good-faith research is welcome. As long as you do not exfiltrate user data, disrupt our infrastructure, or violate privacy of other Klyna users, we will not pursue legal action.

Out of scope

  • Self-XSS, missing best-practice headers without exploit, social engineering of Klyna staff, denial-of-service against our public endpoints.
  • Issues in third-party services Klyna integrates with — please report those to the upstream vendor.

Still stuck? Open a support ticket →