Responsible Disclosure Policy

Version 1.0 · February 2026 · 90-Day Coordinated Disclosure

Safe Harbor

Kulprit Studios LLC will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, comply with this policy, avoid privacy violations, disruption to services, or destruction of data, and give us reasonable time to remediate before public disclosure. We consider your research to be authorized under this policy and will work with you throughout the process.

Scope — In Scope

kulpritstudios.com and all subdomains
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
Authentication and authorization flaws
Insecure direct object references (IDOR)
Sensitive data exposure (credentials, API keys, PII)
Remote code execution
SQL injection
Security misconfiguration with demonstrated impact

Scope — Out of Scope

Denial of service attacks
Social engineering attacks against Kulprit Studios personnel
Physical security
Vulnerabilities in third-party services or libraries (report to the vendor)
Missing security headers without demonstrated exploitability
Rate limiting issues without demonstrated impact
Theoretical vulnerabilities without proof of concept
Automated scanner output without manual validation

Disclosure Timeline

Day 0Submit report to security@kulpritstudios.com with full details and proof of concept

Day 1–3Acknowledgment of receipt and initial triage

Day 7Severity assessment and remediation timeline shared with reporter

Day 30Target remediation for critical and high severity findings

Day 90Maximum embargo period — public disclosure permitted after this date regardless of remediation status, with coordination preferred

We will keep you informed of remediation progress and request extensions only with justification. We will not request extensions beyond 90 days without mutual agreement.

How to Report

Email: security@kulpritstudios.com

Include in your report:

Description of the vulnerability and its potential impact
Affected URL(s) and parameters
Step-by-step reproduction instructions
Proof of concept (screenshots, HTTP requests/responses)
Your assessment of severity
Your name or handle for acknowledgment (optional)

What We Ask of Researchers

Do not access, modify, or delete data belonging to other users
Do not perform denial of service testing
Do not use automated scanners against production systems without permission
Do not publicly disclose findings before the 90-day embargo period has elapsed or remediation is confirmed
Limit testing to your own accounts and test data where possible

Recognition

We acknowledge security researchers who responsibly disclose valid vulnerabilities. Recognition options include public acknowledgment on this page (with your permission) and a thank-you response. We do not currently offer monetary bug bounties.

Independence Notice

Kulprit Studios LLC is an independent private entity and is not affiliated with any other organization. Security reports should be directed exclusively to the contact above.