 Security

At iKelp, we take the security of our services, infrastructure, and customer data seriously. If you believe you have discovered a security vulnerability in any iKelp service, product, website, or related infrastructure, please report it to us responsibly.

 How to report a vulnerability

Please send security reports to:

[security(at)ikelp.com](https://www.ikelp.com/javascript:linkToUnCryptMailto%28'nbjmup;tfdvsjuzAjlfmq/dpn'%29;)

To help us investigate efficiently, please include as much of the following as possible:

 affected domain, application, or service,
 detailed description of the issue,
 steps to reproduce,
 proof of concept, screenshots, or logs,
 estimated impact,
 your contact details for followup questions.

 Our approach

For legitimate security reports, we aim to:

 acknowledge receipt of the report,
 review and validate the finding,
 prioritize remediation based on severity and impact,
 maintain reasonable communication during the process.

 Scope

This policy applies to services operated by iKelp, including public websites, customerfacing SaaS services, APIs, and supporting infrastructure managed by iKelp.

This may include, for example:

 .ikelp.com
 .ikelp.cloud
 other public services clearly operated by iKelp.

If you are unsure whether a system belongs to iKelp, include it in your report and we will review it.

 Out of scope

The following are generally considered out of scope unless they show real security impact:

 spam or email bestpractice issues without real exploitability,
 missing security headers without a practical attack scenario,
 clickjacking on pages with no sensitive actions,
 denial of service, stress testing, or resource exhaustion testing,
 social engineering, phishing, pretexting, or physical attacks,
 attacks against thirdparty systems not operated by iKelp,
 reports based only on outdated software versions without demonstrated impact,
 selfXSS or issues requiring unrealistic user interaction,
 automated scanner output without analysis and reproduction steps.

 Rules of engagement

Please:

 act in good faith,
 avoid privacy violations and service disruption,
 test only to the extent necessary to confirm the issue,
 avoid accessing data that does not belong to you,
 do not modify or delete thirdparty data,
 stop testing once the issue has been confirmed,
 report the issue promptly.

Please do not:

 exploit a vulnerability beyond what is necessary for proof,
 create persistent access or backdoors,
 perform destructive testing,
 publicly disclose the issue before it has been reviewed and remediated.

 Safe harbor

If you act in good faith, follow this policy, avoid privacy violations and service disruption, and give us reasonable time to investigate and remediate the issue, iKelp will not consider your research to be unauthorized under this policy.

This safe harbor applies only to activities consistent with this policy and does not extend to actions that violate law, regulation, or thirdparty rights.

 Bug bounty

iKelp does not currently operate a public bug bounty program unless explicitly stated otherwise.

 Contact

Security reports: [security(at)ikelp.com](https://www.ikelp.com/javascript:linkToUnCryptMailto%28'nbjmup;tfdvsjuzAjlfmq/dpn'%29;)

Reports may be submitted in Slovak or English.