Responsible Disclosure

Security has the highest priority at Kahuna. Our specialists are continuously working on the optimization of our systems and processes. This is how we create the highest possible security for both our clients and ourselves. We diligently look after the security of our systems but despite this, weaknesses can occur.

Have you discovered a vulnerability in our systems? If so, we would be happy to work with you on finding a solution. We request that you share this information with us in confidence. How to do this can be found in our ‘Statement of Responsible Disclosure’.

Kahuna’s Security Operations Centres continually monitor suspicious behavior in its own networks. There is a very good chance we will notice a scan, triggering an investigation that will incur unnecessary costs. Therefore, please note that our Responsible Disclosure policy is not an invitation to extensively scan our corporate network to discover vulnerabilities. Statement of Responsible Disclosure If you have found a weakness in one of our systems, please notify us so that we can take appropriate measures as soon as possible. We would like to work with you to better protect our clients and our systems.

How do you report a problem?

  • Report the problem to Only report one incident per mail. If you have found more than one vulnerability, please send us an email for each issue.
  • Please include your contact details (name, telephone number and email address) so that we can contact you if we need more information.
  • Please provide sufficient information so that we are better able to reproduce the problem and thus solve it more quickly. Generally, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities it may be that we need more detailed information.

Our rules:

  • Please do not abuse the problem by, for example, downloading, changing, or deleting data. We always take your reports seriously and will investigate any suspicion of a vulnerability, even if there is no concrete evidence.
  • Avoid copying, deleting, or changing information.
  • Do not share the problem with others until it is resolved.
  • Do not place malware and do not use brute force attacks, denial-of-service attacks, Social Engineering, and do not execute a ‘lateral movement’.

We endeavor to:

  • Send you an acknowledgment of receipt via email within 1 working day;
  • Send you a more substantive response and the date on which we expect to solve the problem within 3 working days. We will solve the problem within two months at the latest;
  • Keep you informed of the progress and status of solving the problem.
  • Together we will determine whether we make this public. We will only mention your name if that is your wish.
  • If you comply with our rules, we will not take any legal action.