Security Disclosure

Security Disclosure

Last Updated: October 27, 2024

We Value Security Researchers

Kilo Code is committed to protecting our users' security and privacy. We appreciate security researchers who help us identify and fix vulnerabilities.

Scope

This policy applies to:

  • kilocode.ai and all its subdomains (*.kilocode.ai)
  • Kilo Code extensions (VS Code, JetBrains IDEs)
  • Kilo Code CLI
  • Source code at github.com/Kilo-Org/kilocode

Out of scope: Third-party services, vendor systems, and services not explicitly listed above.

Guidelines

When testing for vulnerabilities, please:

Do:

  • Report vulnerabilities as soon as you discover them
  • Provide detailed steps to reproduce the issue
  • Give us reasonable time to fix issues before public disclosure
  • Use the minimum amount of interaction necessary to identify a vulnerability

Don't:

  • Access, modify, or delete user data
  • Disrupt our services or users (no DoS/DDoS attacks)
  • Perform physical testing or social engineering (phishing, etc.)
  • Submit automated vulnerability scans or spam reports
  • Share vulnerability details publicly before we've fixed them

How to Report

Email: security@kilocode.ai

You can report anonymously. We don't require your personal information.

What to include:

  • Description of the vulnerability
  • Location where it was found (URL, file, etc.)
  • Steps to reproduce the issue
  • Potential impact
  • Any proof-of-concept code or screenshots (optional but helpful)

What to Expect

  • Within 3 business days: We'll acknowledge receipt of your report
  • Ongoing: We'll keep you updated on our progress fixing the issue
  • Confidentiality: We won't share your information without permission
  • No legal action: If you follow these guidelines in good faith, we won't pursue legal action against you

Questions?

Contact us at security@kilocode.ai with any questions about this policy.