Researcher hall of fame.

How the program works.

Scope: kolm.ai web surface, public APIs at kolm.ai/v1/*, the open-source kolm CLI, and shipped .kolm runtime sandbox escapes.

Out of scope: social engineering, denial of service, spam, third-party vendor issues (report to the vendor first), or anything that requires physical access to a customer device.

Reward range: $500 to $5,000 by severity, paid USD or BTC. Critical sandbox escapes top of range. Triaged against CVSS 3.1 with our own scope adjustments.

SLA: 24 hours initial acknowledgement, 72 hours triage and severity decision, fix timeline depends on severity (Critical = 7 days, High = 14 days, Medium = 30 days).

Safe harbor: good-faith research consistent with this scope and our security.txt will not be pursued legally. We honor coordinated disclosure windows.

What we ask in return.

Do not exfiltrate or persist customer data. Stop on first proof and report. Do not disclose publicly until the fix is shipped or 90 days after report, whichever is sooner.

If you need a longer disclosure window for a Critical finding (e.g. coordinated with downstream OSS projects), ask. We will not weaponize the deadline against good-faith researchers.

Want a private channel first?

Encrypt with our PGP key at /.well-known/pgp-key.txt if you prefer. We will respond from security@kolm.ai within 24 hours.