KubereumKUBEREUM

Security Policy

Effective 16 May 2026

At Kubereum Private Limited we take security seriously. This page describes how we protect our systems and how you can responsibly report a vulnerability.

1. How we secure kubereum.com

  • TLS 1.2+ everywhere. HTTPS is enforced site-wide via HSTS.
  • Strict transport security. HSTS header with includeSubDomains.
  • Content Security Policy. Restricts sources for scripts, styles, frames, and images.
  • Clickjacking protection. X-Frame-Options: SAMEORIGIN.
  • MIME-sniffing protection. X-Content-Type-Options: nosniff.
  • Referrer policy. strict-origin-when-cross-origin.
  • Permissions policy. Camera, microphone, geolocation, payment, USB, accelerometer, magnetometer, and gyroscope APIs are blocked.
  • Bot mitigation. Cloudflare Bot Fight Mode is enabled.
  • Static export. The Site is fully static; no application server is exposed to the public internet from the website domain.
  • Least-privilege access. Administrative access to our DNS, hosting, and source control is restricted to named founders with 2FA.
  • Email authentication. SPF, DKIM, and DMARC are configured for kubereum.com.

2. Reporting a vulnerability

If you believe you have found a security vulnerability in any Kubereum product, website, or service, please report it to us privately so we can fix it before it is exploited.

Primary contact: [email protected]
Alternate: [email protected]

Our machine-readable contact file is at /.well-known/security.txt per RFC 9116.

What to include

  • A clear description of the issue and its impact
  • Steps to reproduce, with any required credentials or context
  • Affected URL, parameter, or component
  • Your contact details and (optional) handle for credit

What you can expect from us

  • Acknowledgement of receipt within 72 hours
  • A status update within 7 business days
  • Best-effort remediation timelines tied to severity
  • Public credit (with your consent) once the issue is resolved

3. Safe-harbour for good-faith research

We will not pursue legal action against researchers who:

  • Act in good faith to discover and report a vulnerability
  • Do not access, modify, exfiltrate, or destroy data beyond the minimum needed to demonstrate the issue
  • Do not disrupt service availability for other users
  • Do not publicly disclose the issue until we confirm remediation
  • Comply with applicable law (including the Information Technology Act, 2000 and the DPDP Act, 2023)

4. Out of scope

  • Reports from automated scanners without evidence of impact
  • Social engineering or phishing of Kubereum employees, contractors, or vendors
  • Physical-security issues at our offices
  • Issues in third-party services or upstream libraries (please report to those vendors directly)
  • Missing best-practice headers that do not lead to demonstrable impact (e.g., absence of CAA records)
  • Self-XSS and theoretical issues with no practical exploitation path

5. Bug-bounty

We do not currently run a paid bug-bounty programme. Where a researcher provides material value, we may offer a goodwill thank-you and public credit at our discretion.

6. Updates

This Security Policy will evolve as our products and threat model grow. The latest version is always at kubereum.com/security.

Kubereum Private Limited

CIN: U62011DC2026PTC470885 · GSTIN: 07AAMCK8251G1Z9

Registered office: Karol Bagh, New Delhi, India

Home · Privacy · Terms · Refund · Security