Report a vulnerability.

We take security reports seriously and aim to acknowledge new disclosures within one business day. If you've found a flaw - credential leak, authentication bypass, data exposure, anything that affects customer trust - please tell us before disclosing it publicly.

How to report

• · Email security@karta.sh with a concise description and a reproducer.
• · Encrypt with our PGP key if the issue is sensitive (key fingerprint available on request).
• · Include affected URLs, request payloads, and the impact you observed.

What to expect

• · Acknowledgement: within 1 business day.
• · Triage: severity assessment within 3 business days.
• · Fix or mitigation: targeted to severity - critical issues patched ASAP.
• · Disclosure: coordinated; we'll credit you unless you'd rather stay anonymous.

Safe harbor

Good-faith research that follows this policy will not result in legal action. Don't access data that doesn't belong to you, don't degrade service for other users, and don't run automated scanners that could disrupt production. Reach out before testing anything destructive.

Out of scope

• · Social engineering of staff or customers.
• · Physical attacks against hosting infrastructure.
• · Reports based solely on outdated automated scanner output without proof of impact.
• · Self-XSS or issues requiring an attacker already in your browser.

RFC 9116 disclosure file: /.well-known/security.txt