Found a bug?
Tell us first.
We treat every report as a partnership. Encrypted channel, clear timeline, credit where it's due.
Scope
- Any Kairos Lab product — KairosAuth, Kairos Shield, K-PPE, AsterScan, StatShield, etc.
- Infrastructure under
*.kairos-lab.organd*.kairoslab.io - Smart contracts deployed under our control on Aster Chain & Base Sepolia
Out of scope
- Social engineering of Kairos Lab staff
- Physical attacks on infrastructure
- DoS/DDoS without a clear exploit path
- Reports generated by automated scanners without manual validation
- Vulnerabilities in third-party services we don't control
How to report
- Email
security@kairos-lab.org - Include: affected product, reproduction steps, proof-of-concept, suggested severity (CVSS 3.1 if possible)
- We acknowledge within 24h and triage within 72h
Our commitment
| 24h | Acknowledge receipt of your report |
| 72h | Initial triage and severity assessment |
| 7d | Reproduction confirmed or rejected with reasoning |
| 30d | Fix deployed for critical / high severity findings |
| 90d | Public disclosure, coordinated with reporter |
Rewards
Every validated finding is rewarded on a case-by-case basis (USDC on Aster Chain) and credited publicly in our writeups unless you prefer to stay anonymous.
P0 — Critical
Authentication bypass, RCE, key extraction, fund loss
$1,000 – $5,000
P1 — High
Privilege escalation, significant data exposure
$300 – $1,000
P2 — Medium
Limited impact exploits, logic flaws
$100 – $300
P3 — Low
Informational, best-practice deviations
Kudos + credit
Safe harbor
If you make a good-faith effort to comply with this policy, we will not pursue legal action against you. We ask the same in return: don't access data that isn't yours, don't degrade our service, and give us time to fix before going public.
Ready to report? Send an encrypted email to our security team. We respond within 24 hours.
Report a vulnerability →