Contact: [email protected]

At kula, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

kula maintains release branches for the three most recent minor releases of OnLaunch. Applicable fixes, including security fixes, may be backported to those three release branches, depending on severity and feasibility.

• E-mail your findings to [email protected].
• Do not run automated scanners on our infrastructure or dashboard. If you wish to do this, contact us and we will set up a sandbox for you.
• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
• Do not reveal the problem to others until it has been resolved,
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties,
• Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

IMPORTANT: Do not file public issues on GitHub for security vulnerabilities

Provide a descriptive subject line and in the body of the email include the following information:

• Basic identity information, such as your name and your affiliation or company.
• Detailed steps to reproduce the vulnerability (POC scripts, screenshots, and compressed packet captures are all helpful to us).
• Description of the effects of the vulnerability on OnLaunch and the related hardware and software configurations, so that the kula security team can reproduce it.
• How the vulnerability affects OnLaunch usage and an estimation of the attack surface, if there is one.
• List other projects or dependencies that were used in conjunction with OnLaunch to produce the vulnerability.

We make the following commitments to security researchers who responsibly disclose vulnerabilities:

• We will respond to your report within 3 business days, acknowledging receipt and providing an initial evaluation.
• We will treat all information you provide as confidential and will not share your personal details without your explicit consent, unless required by applicable laws or regulations.
• We will keep you informed about the progress and resolution of the vulnerability.
• With your permission, we will acknowledge you as the discoverer of the vulnerability in any public disclosures, unless you prefer to remain anonymous.
• We aim to address and resolve all reported vulnerabilities in a timely manner.
• We appreciate your collaboration in coordinating the public release of information about the vulnerability after it has been appropriately resolved.

By following these guidelines and working together, we can create a more secure environment for our web app and its users. Thank you for your contributions to our security efforts.

Note: This security policy is based on best practices from various open-source web applications and has been customized for OnLaunch by kula.