Last updated: October 9, 2025
At Kasaloop, we take the security of our platform and our users' data seriously. We appreciate the security research community's efforts in helping us maintain a secure environment for building management operations.
Responsible Disclosure
We kindly ask security researchers to follow responsible disclosure practices. If you discover a security vulnerability in any Kasaloop service, please report it to us privately rather than publicly disclosing it.
How to Report a Vulnerability
Contact Information
- Email: security@kasaloop.app
- Alternative: support@kasaloop.app
- PGP Key: Download Public Key
For Sensitive Reports
We strongly encourage you to encrypt your vulnerability reports using our PGP public key. This ensures that sensitive details about the vulnerability remain confidential until we can address them.
What to Include in Your Report
Please provide as much detail as possible to help us understand and reproduce the issue:
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Affected service(s) (kasaloop.app, login.kasaloop.app, crm.kasaloop.app, api.kasaloop.app)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code (if applicable)
- Potential impact of the vulnerability
- Your suggested remediation (optional but appreciated)
Our Commitment to You
- Response time: We commit to acknowledging your report within 48 hours.
- Regular updates: We will keep you informed about the progress of fixing the vulnerability.
- Public recognition: With your permission, we will credit you on our Security Acknowledgments page.
- No legal action: We will not pursue legal action against security researchers who follow this policy.
Scope
This security policy applies to the following Kasaloop services:
- kasaloop.app – Marketing and landing page
- login.kasaloop.app – Parcel management application
- crm.kasaloop.app – Customer relationship management platform
- api.kasaloop.app – API services
Out of Scope
The following are explicitly out of scope for vulnerability reports:
- Denial of Service (DoS) attacks
- Social engineering attacks against Kasaloop staff or users
- Physical attacks against Kasaloop facilities
- Reports from automated vulnerability scanners without manual verification
- Issues requiring unlikely user interaction
- Self-XSS vulnerabilities
Safe Harbor
We consider security research and vulnerability disclosure activities conducted in accordance with this policy to be authorized under applicable anti-hacking or anti-circumvention laws, and we will not initiate legal action against researchers who follow it.
Questions?
If you have questions about this policy or need clarification on any point, please contact us at security@kasaloop.app.
Note: This security policy is compliant with RFC 9116 and follows industry best practices for responsible vulnerability disclosure. We reserve the right to update this policy at any time.