Vulnerability disclosure policy


This guide is targeted to security researchers and outlines how potential security issues are reported. Are you a customer at Kundo with questions or concerns regarding security: please contact us directly at security@kundo.se.

Terms and guidelines

  • We will respond to vulnerability disclosures quickly to resolve the issue as soon as possible (initial contact within at least 3 business days of the submission)

  • You are not allowed to run a vulnerability scanner or do a system load test on our systems without our approval

  • We kindly ask not to reveal problems to others before initiating a dialogue with us

  • This document is to be considered a live document and is regularly updated by Kundo

  • Reports that do not match the guidelines outlined in this document will not be responded to

  • Vulnerability testing should only be performed on domains or subdomains to kundo.se, kundo.no, kundo.fi, and kundo.dk

Out-of-scope vulnerability types

We kindly ask to not contact us regarding findings that are listed here:

  • Reports from automated tools or scans that haven't been manually validated


  • Iframe policies and clickjacking

  • CSRF without clear security impact

Reporting of findings

Use the form at the bottom of this page or send an email security@kundo.se to report your findings. We kindly ask that all finding reports include at least:

  • Classification of vulnerability

  • Description of exploitation

  • A well written proof of concept

  • Motivation of severity

Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.

Guide tagged with: security
warning Created with Sketch.