Legal

Security & Disclosure

Effective: 2026-06-12 Last updated: 2026-06-12

If you have found a security issue in any Klyna tool, please tell us. We are a small studio and we take this seriously.

Where to report

Email: security@klyna.dev
PGP key fingerprint: 4F1E 9AA0 C3D2 76B1 8C57 31E0 7E2D 5A1B 9F4C 0D2A (full key at /.well-known/security.txt)
Backup: open a private security advisory on github.com/klynahq/klyna

Our SLA

Acknowledge: within 48 hours (business day, Asia/Karachi).
Triage and initial assessment: within 5 business days.
Patch: within 90 days for high/critical, sooner for actively exploited issues.
Disclosure: coordinated; we credit you in the advisory unless you ask us not to.

Scope

In scope:

klyna.dev (the marketing site)
klyna.dev/admin (the studio admin panel)
pings.klyna.dev (the install-ping endpoint)
Source code in any repo under github.com/klynahq — plugins, apps, extensions, themes
Signed release artefacts published on /downloads

Out of scope:

Your own WordPress, Shopify, or browser infrastructure where you have installed a Klyna tool. Misconfigurations there are not our vulnerabilities.
Third-party services we depend on (Vercel, Cloudflare, Resend, GitHub, Fastmail) — report those upstream.
Findings that require physical access, social engineering of staff, or a compromised end-user device.
Best-practice notes (missing headers we already accept, theoretical CSP weakenings) without a demonstrated impact.

Safe harbour

We will not pursue legal action or law-enforcement involvement against you for security research carried out in good faith, as long as you:

Stay within scope above.
Do not access, modify, or exfiltrate data that does not belong to you (use your own test account).
Do not run automated scanners that meaningfully degrade service for other users.
Do not publicly disclose before we have had a reasonable chance to patch (see SLA above).

Bounty

We do not have a paid bounty programme — the project is free. We do credit researchers in the advisory and on the Hall of Fame on GitHub, and we ship Klyna swag for valid high/critical reports while supplies last.

CVE coordination

For issues that warrant a CVE, we will request one through GitHub's CNA when we publish the advisory. You are welcome to request your own through MITRE if you prefer; just coordinate the timing with us.

Questions? Email hello@klyna.dev. Security reports go to security@klyna.dev.