Vulnerability Disclosure

Send security reports through Kanvly supportwith the subject "Security report". Include a clear description, affected URL or feature, impact, reproduction steps, and any safe proof of concept. Do not include third-party personal data.

• Authentication or session handling flaws affecting Kanvly accounts.
• Authorization issues that expose workspace data across users or workspaces.
• Stored or reflected cross-site scripting on kanvly.com.
• Server-side request forgery, remote code execution, SQL injection, or similar high-impact issues.
• Public intake, upload, import, or AI flows that create a security risk.

• Denial-of-service testing, spam, load testing, or destructive automation.
• Physical attacks, social engineering, phishing Kanvly employees or users, or credential stuffing.
• Reports that require malware, persistence, data exfiltration, or accessing data that does not belong to you.
• Missing security headers without a demonstrated practical impact.
• Scanner-only findings without reproduction steps or exploitable impact.

Test only accounts and workspaces you own or have explicit permission to use. Stop immediately if you encounter data that is not yours. Do not modify, delete, download, or disclose other user data. Give Kanvly reasonable time to investigate and remediate before public disclosure.

Kanvly will review reports in good faith and respond on a commercially reasonable timeline. Kanvly does not currently operate a paid bug bounty program, and submission of a report does not create an entitlement to compensation.