kisenon

Security

Responsible-disclosure policy, contact, and scope for Kisenon.

This page is the canonical security policy for Kisenon. It is the target advertised by /.well-known/security.txt under RFC 9116.

Reporting a vulnerability

Email security@kisenon.com with:

  • A clear description of the issue.
  • Steps to reproduce — concrete commands, request payloads, or a small proof-of-concept. Vibes are unactionable.
  • The affected hostname (kisenon.com, api.test.kisenon.com, an endpoint host, or other) and the date and time the issue was observed.
  • Your preferred handle for any public credit, or anonymous.

Please do not file security issues on the public GitHub tracker. The tracker is for product bugs and feature requests; it is world-readable and unsuitable for unfixed vulnerabilities.

Response targets

Kisenon is in alpha and operated by a small team. We aim for:

  • Acknowledgement within two business days.
  • Triage and severity assessment within five business days.
  • Fix or mitigation on a timeline proportional to severity. Critical issues take precedence over feature work.

We will keep you updated as we move through triage and remediation. Once a fix has shipped, we will coordinate disclosure with you.

Scope

In scope:

  • The kisenon.com apex and its subdomains operated by Kisenon (api.test.kisenon.com, cp.kisenon.com, endpoint hosts under *.kisenon.com).
  • The control-plane HTTP API, the keon CLI, and the web console.
  • Authentication and session handling: NextAuth Google/GitHub sign-in, the cp-signed JWT exchange, the CLI loopback OAuth flow, and API key (nsk_…) issuance and revocation.
  • Tenant isolation: any path that crosses a project boundary without authorisation, leaks another tenant's metadata, or escapes the per-endpoint network perimeter.

Out of scope:

  • Denial of service via raw traffic volume against shared infrastructure. Rate-limit findings against documented limits are welcome; flooding is not a vulnerability.
  • Reports based solely on automated-scanner output without a working proof-of-concept.
  • Social engineering of Kisenon staff or alpha testers.
  • Issues in third-party services we depend on (GitHub OAuth, Google OAuth, MetalLB, k3s, Postgres itself) — please report those upstream. Kisenon-side mitigations are still in scope.

Safe-harbour

We will not pursue legal action against researchers who:

  • Make a good-faith effort to comply with this policy.
  • Avoid degrading service availability for other tenants.
  • Do not exfiltrate data beyond the minimum needed to demonstrate the issue. Stop as soon as access is proven; do not enumerate.
  • Do not disclose the issue publicly before a fix has shipped or 90 days have elapsed since report, whichever is sooner.

PGP

PGP-encrypted reports are accepted but not required. If you need a public key, request one in your initial email and we will reply with the current key fingerprint out of band.

Troubleshooting

Common alpha-era failure modes and how to recover.

Status

Where to check live signals from the Kisenon control plane.

On this page

Reporting a vulnerabilityResponse targetsScopeSafe-harbourPGPRelated