Responsible Disclosure Policy

ABN: 64 108 741 214
Effective date: 4 June 2026
Contact: admin@getkova.co

1. About this policy

Kova processes commercially sensitive project data, design files, and project management integrations on behalf of software agencies and their clients.

We welcome reports from researchers, customers, and the security community who identify vulnerabilities in our platform.

2. What to report

We are interested in reports covering:

  • authentication and authorisation vulnerabilities
  • workspace isolation failures or cross-tenant data access
  • injection vulnerabilities including SQL, prompt, and command injection
  • sensitive data exposure
  • insecure handling of OAuth tokens or integration credentials
  • broken access control
  • security misconfigurations with meaningful impact
  • significant vulnerabilities in our integrations with Figma, Jira, Slack, or other connected services

3. Out of scope

The following are out of scope and should not be tested:

  • denial of service or resource exhaustion attacks
  • automated scanning without prior written permission
  • social engineering or phishing of Kova staff or customers
  • physical security
  • attacks against third-party services outside our control
  • reports based on outdated browser or software versions
  • missing security headers that do not present a practical exploit path
  • rate limiting findings that do not lead to meaningful data exposure

4. How to report

Send your report to: admin@getkova.co
Subject line: Security Disclosure — [Brief description]

Include:

  • a clear description of the vulnerability
  • the steps to reproduce it
  • the potential impact
  • any proof-of-concept or supporting material you consider relevant

5. What happens after you report

We will:

  • acknowledge your report within 5 business days
  • investigate and assess the severity of the issue
  • keep you informed of progress where reasonable
  • remediate confirmed vulnerabilities as a priority based on severity
  • credit you publicly by name or handle, as you prefer, if you are the first to report a valid previously unknown vulnerability and you request recognition

6. Our expectations

In exchange for engaging with this programme, we ask that you:

  • do not access, modify, or delete data belonging to other users
  • do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it — we request a minimum of 90 days from acknowledgement
  • do not conduct testing that causes degradation of service for other users
  • act in good faith throughout

7. No legal action

Kova will not take legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy.

This commitment does not extend to testing outside the scope defined above or to activity that causes harm to Kova customers or their data.

8. No compensation

Kova does not currently operate a paid bug bounty programme. Participation is voluntary. We offer public recognition for valid, responsibly disclosed findings.

9. Contact

Kova
ABN 64 108 741 214
Email: admin@getkova.co
Website: www.getkova.co

Also available: Security Statement · Privacy Policy