KYNEKT Limited is committed to addressing and reporting security issues through a coordinated and constructive approach designed to provide the greatest protection for KYNEKT customers, partners, staff and all internet users.
A security vulnerability is a weakness in our systems or services that may compromise their security. This policy applies to security vulnerabilities discovered in any KYNEKT product, service or system — including the KYNEKT mobile applications, KTRAK GPS devices and firmware, the TOOLTRADE marketplace, the kynekt.id website, the backend API, and any associated cloud-hosted infrastructure — by KYNEKT staff, contractors, security researchers, customers, or any other third party.
Responsibility for this policy rests with the KYNEKT ISMS Manager, who reviews it annually. All KYNEKT staff and contractors receive guidance on it as part of their security awareness training.
1. How to Report a Vulnerability
If you believe you have discovered a vulnerability in any KYNEKT service, or have a security incident to report, please contact us using one of the following channels:
- Email: security@kynekt.id — preferred channel for all vulnerability reports.
- Reporting form: kynekt.id/security — for reporters who prefer a web form.
- Encrypted communication: a PGP key is available at kynekt.id/security if you prefer to send encrypted information.
When reporting, please include:
- A description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue.
- Where applicable, the URL, endpoint, application version, device model or firmware version affected.
- Where possible, a Common Vulnerability Scoring System (CVSS) score or an indication of severity.
- Your contact details so we can keep you informed of progress (or a statement that you would prefer to remain anonymous).
2. What KYNEKT Commits To
Once we have received a vulnerability report, KYNEKT takes the following steps:
- We will provide prompt acknowledgement of receipt — within two working days, and within 24 hours for vulnerabilities the reporter classifies as Critical or High.
- We will treat your report confidentially and request that you do the same while we investigate and remediate.
- We will work with you to understand, reproduce and investigate the vulnerability, and may contact you for additional information.
- We will provide a timeframe for addressing the vulnerability, prioritised in line with our internal severity targets — Critical: 48 hours · High: 7 days · Medium: 30 days · Low: at next scheduled release.
- We will notify you when the vulnerability has been resolved so that, if you wish, you can verify the fix.
- Where appropriate, we will publicly announce the vulnerability and the fix — typically via the release notes of the update, and where warranted via the KYNEKT security page, blog or social media.
- Release notes and any public announcement will credit the reporter by name, unless they request anonymity.
Where the vulnerability has resulted in a personal data breach as defined under UK GDPR, KYNEKT will also follow its internal incident management procedure and, where required, notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach.
3. What We Ask of Security Researchers
KYNEKT greatly values the work of the security research community. To enable us to act on your report quickly and to protect our customers, we ask that researchers follow responsible disclosure good practice:
- Allow KYNEKT a reasonable time to investigate and remediate the vulnerability before any public disclosure. As a guideline we request 90 days from the date of report, or until a fix has been released, whichever is sooner — unless the vulnerability is actively being exploited.
- Provide sufficient detail to allow successful investigation, including clear steps to reproduce.
- Where possible, include a CVSS score or your view of severity.
- Do not modify, copy, exfiltrate or delete data beyond what is strictly required to demonstrate the vulnerability, and do not take any action that could affect KYNEKT customers, their data, or platform availability.
- Do not perform social-engineering exercises against KYNEKT staff, contractors, customers or partners.
- Do not attempt physical intrusion or disrupt the supply chain.
- Do not run automated, large-scale scanning tools that could degrade the availability of KYNEKT services for other users.
4. Safe Harbour
Research carried out in good faith, in accordance with this policy, will be regarded by KYNEKT as authorised. KYNEKT will not initiate legal action against, or support enforcement action against, any researcher whose activity remains within the boundaries set out above. If, in the course of your research, you are uncertain whether a particular action is permitted, please contact us at security@kynekt.id before proceeding.
Safe harbour does not extend to the deliberate compromise of customer data, the public disclosure of vulnerabilities before remediation, or any action that would constitute an offence under the Computer Misuse Act 1990 beyond what is reasonably required for good-faith research.
5. Out of Scope
The following are out of scope for this disclosure programme. Reports limited to these matters will be acknowledged but typically closed without action:
- Findings from automated tools or scanners without a demonstrated exploitable impact.
- Reports of best-practice issues that do not represent an exploitable security weakness (for example, missing security headers without demonstrated impact, or lack of rate limiting on non-sensitive endpoints).
- Social engineering, phishing or physical security attacks on KYNEKT staff or premises.
- Denial-of-service or volumetric attacks intended to degrade service availability.
- Vulnerabilities in third-party services that KYNEKT uses but does not operate (these should be reported to the relevant supplier; if you are unsure, contact us and we will help route the report).
6. Bug Bounty Programme
KYNEKT does not currently operate a paid bug bounty programme. KYNEKT may, at its discretion, recognise impactful research with a public acknowledgement, KYNEKT-branded items, or other token of appreciation. Recognition is not guaranteed and is not a contractual entitlement.
7. Misuse of This Channel
Use of this disclosure channel for activities that fall outside good-faith security research — including attempted extortion, unauthorised access to customer data, or threats to disclose publicly without giving KYNEKT a reasonable opportunity to remediate — will be treated as a security incident and may be reported to law enforcement.