KeyriosKeyriosBack to home

Security

Security Disclosure Policy

Keyrios takes the security of our own infrastructure seriously. We welcome good-faith reports from researchers who identify vulnerabilities in our systems.

Last updated: 19 February 2026CVD Policy Active
01

Our Commitment

Keyrios is an intelligence-led security company. We hold ourselves to the same security standards we apply to our clients. If you have discovered a potential vulnerability in our public-facing infrastructure — including keyrios.com or any subdomain — we want to know.

We operate a Coordinated Vulnerability Disclosure (CVD) policy. This means we ask researchers to report vulnerabilities to us privately, giving us reasonable time to investigate and remediate before any public disclosure. In return, we commit to responding promptly, keeping you informed, and not pursuing legal action against researchers acting in good faith within this policy.

02

Scope

This policy applies to vulnerabilities discovered in the following Keyrios-operated assets:

  • keyrios.com and all subdomains (e.g. www.keyrios.com)
  • Keyrios web applications and client-facing portals
  • Keyrios APIs that are publicly accessible

The following are explicitly out of scope:

  • Third-party services, platforms, or infrastructure not operated directly by Keyrios (e.g. cloud provider infrastructure, email providers).
  • Social engineering attacks targeting Keyrios staff or clients.
  • Physical security attacks against Keyrios premises.
  • Denial-of-service (DoS or DDoS) attacks of any kind.
  • Automated scanning that may disrupt service availability.
  • Vulnerabilities in software or services that Keyrios does not control or maintain.
  • Findings from assets acquired via non-authorised access or in breach of applicable law.
03

How to Report

To submit a vulnerability report, please email us at security@keyrios.com. Reports may be submitted in English.

Please include the following in your report:

  • A clear description of the vulnerability, including the type (e.g. XSS, IDOR, SQLi, exposed credential).
  • The URL(s) or endpoint(s) affected.
  • Step-by-step reproduction instructions, including any tools, payloads, or account states required.
  • Evidence of impact — screenshots, video recordings, or proof-of-concept code where relevant.
  • Your contact details (name or handle) if you wish to be acknowledged.

We treat all incoming reports as confidential. Your personal information will be used solely to communicate with you regarding the reported vulnerability and will not be shared with third parties without your consent.

04

Response Process

Once we receive your report, we will follow the process below:

01
AcknowledgementWithin 2 business days

We will confirm receipt of your report and assign a tracking reference.

02
Triage & ValidationWithin 5 business days

Our security team will assess the report, reproduce the issue, and determine severity and scope.

03
RemediationVaries by severity

We will work to remediate validated findings. We will keep you informed of progress and any necessary timeline extensions.

04
Resolution & DisclosureAgreed with reporter

Once remediated, we will notify you and agree a disclosure timeline. We aim to support coordinated public disclosure where appropriate.

We aim to resolve critical and high-severity findings within 30 days. More complex issues may require additional time; we will communicate any extended timelines clearly.

05

Researcher Expectations

To qualify for safe harbour under this policy, researchers must:

  • Report vulnerabilities through the designated channel (security@keyrios.com) before any public or third-party disclosure.
  • Avoid accessing, modifying, deleting, or exfiltrating data beyond what is necessary to demonstrate the vulnerability.
  • Not exploit the vulnerability beyond the minimum required to confirm its existence and impact.
  • Not disrupt the availability of Keyrios services or conduct any form of denial-of-service testing.
  • Not target Keyrios clients, staff, or third-party systems.
  • Give Keyrios reasonable time to remediate before any public disclosure (minimum 90 days, unless a shorter period is agreed in writing).
  • Comply with all applicable laws in the jurisdiction where the research is conducted.
06

Safe Harbour

Keyrios will not initiate legal action against researchers who discover and report security vulnerabilities in good faith, in accordance with this policy. We consider such research to be authorised under this policy and will work with relevant parties to clarify this if necessary.

Safe harbour applies only to activities strictly within the scope of this policy and that comply with the researcher expectations set out in Section 05. Activity outside these boundaries — including targeting out-of-scope systems, exfiltrating data, or conducting disruptive testing — is not covered.

This policy does not create a contract or impose any obligation on Keyrios to provide compensation or recognition for vulnerability reports.

07

Acknowledgements

Keyrios may, at our discretion and with the researcher’s consent, acknowledge individuals who report valid vulnerabilities in a responsible manner. We do not currently operate a paid bug bounty programme; researchers should not expect financial compensation.

If you wish to be acknowledged for a reported finding, please indicate this in your initial report and provide the name or handle you would like us to use.

08

Contact

For vulnerability reports or questions about this policy, contact our security team at:

Keyrios Security Team
security@keyrios.com

For general enquiries unrelated to security disclosures, please use contact@keyrios.com.

← Back to home