If you discover a security vulnerability in Kin, please report it responsibly.
Email: [email protected]
Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Depends on severity, but we prioritize security issues above all other work
This policy covers the Kin repository and all crates in the workspace. If you find a vulnerability in a dependency (Tree-sitter, reqwest, etc.), please report it to the upstream project as well.
We will coordinate disclosure with you. We ask that you give us reasonable time to address the issue before public disclosure.