Kygnos Limited · Last updated May 2026
We build security infrastructure for a living. We take vulnerability reports seriously and will respond to them promptly and professionally.
No system is unconditionally secure. We do not claim otherwise. If you have identified a vulnerability in our infrastructure or website, we want to know about it. Responsible disclosure benefits everyone.
Please send vulnerability reports to marcus@kygnos.cloud.
Include as much detail as you can — the nature of the vulnerability, steps to reproduce, potential impact, and any supporting evidence. A PGP key for encrypted communication will be published here in due course.
We will not disclose your report to third parties without your consent, except where we are legally required to do so.
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they:
This policy applies to the kygnos.cloud website and any systems directly operated by Kygnos Limited. It does not extend to client infrastructure, which is operated under separate contractual arrangements.
Social engineering, physical attacks, and denial of service attempts are outside the scope of this policy and will not be treated as good faith research.
We ask for 90 days from the date of our acknowledgement before any public disclosure. If remediation requires longer, we will discuss an extension with you. We are committed to resolving confirmed vulnerabilities promptly.