Vulnerability Disclosure
Found a vulnerability?
Tell us. Here is how.
We appreciate researchers who help keep Keel and our customers safe. This policy describes how to report a vulnerability, what is in scope, and the protections we extend to good-faith security research.
How to report
Email security@keelflow.ai with:
- A clear description. Affected URL, endpoint, or feature. Vulnerability class.
- Steps to reproduce. Numbered, minimal, with any payloads or PoC scripts attached.
- Impact. What an attacker could do with this. Concrete is better than theoretical.
- Your name and contact. So we can respond and credit you if you wish.
- Optional: PGP-encrypted submission. Public key available on request from security@keelflow.ai.
Scope
The following Keel-owned assets are in scope:
- app.keelflow.ai (the Keel application)
- keelflow.ai (the marketing site)
- Keel-owned APIs and webhooks
- Keel mobile surfaces (when shipped)
- Keel-issued client SDKs
- Third-party services and sub-processors (report directly to them)
- Customer-controlled integrations and Workspaces
- Social engineering against Keel staff
- Physical attacks on Keel facilities
- Denial-of-service attacks
- Any testing that risks customer data
Prohibited research activities
Good-faith research protections do not extend to the following:
- Accessing, modifying, or destroying customer data that does not belong to you.
- Running denial-of-service or load tests against Keel infrastructure.
- Spamming, phishing, or social engineering Keel employees, partners, or customers.
- Physical attacks on Keel offices, hardware, or supply chain.
- Public disclosure of a vulnerability before we have had a reasonable opportunity to remediate (see Disclosure timing below).
- Automated scanning that generates excessive traffic; if you need to scan, use throttled, single-source rates and identify yourself in the user-agent string.
Safe harbor
We extend the following safe-harbor terms to security researchers acting in good faith and within this policy:
- We will not pursue civil action or refer the matter to law enforcement for accidental, good-faith violations of this policy.
- We consider activities in compliance with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act, the DMCA, and similar laws.
- We will work with you to understand and resolve the issue quickly. We will treat your work as a contribution, not a threat.
Safe harbor does not apply to activity outside this policy or to research that violates the law independent of this policy.
Response timeline
A human reads your report. We confirm we have it.
Confirmed or rejected. Severity classified. Owner assigned.
For confirmed issues. Timeline depends on severity and complexity.
Mutually agreed once a fix is deployed and customers have had reasonable time to update.
Disclosure timing
We follow coordinated disclosure. Default embargo is 90 days from initial confirmation, extendable for complex fixes by mutual agreement. Researchers who agree to embargo and remediation timelines are credited (with permission) in our public security advisories.
For critical vulnerabilities under active exploitation, we may shorten or extend the embargo as appropriate. We communicate the rationale.
Recognition
Phase 1 does not include a paid bug bounty program. We recognize valid reports with:
- Public credit (with your permission) on a Hall of Fame page.
- Direct thank-you from the Keel team.
- Keel-branded merchandise for high-quality reports.
- Consideration for early access to programs and product features.
A formal bug bounty with monetary rewards is on the Year 2 roadmap once the platform is in standard production with broader customer base.
Contact and updates
For all vulnerability reports: security@keelflow.ai. For general security questions or to request a security review package: hello@keelflow.ai. This policy may be updated as our security program matures; substantive updates are timestamped.