Skip to content

Security

How to report a security vulnerability to us.

We take security seriously. If you have discovered a vulnerability in Keryth’s application, infrastructure, or website, we want to hear from you. We commit to handling reports responsibly, communicating with you throughout the process, and crediting researchers who help us improve.

How to report

Send your report to security@keryth.com. Please encrypt sensitive reports using our PGP key — details below. Include as much information as you can: steps to reproduce, proof-of-concept code or screenshots if applicable, and your assessment of the impact.

We will acknowledge your report within 72 hours and aim to provide an initial assessment within 7 days.

Our commitments to you

We will not take legal action against researchers who report vulnerabilities in good faith, acting within this policy. We consider good-faith security research a valuable public service.
We will keep you informed. We’ll update you on the status of your report as we investigate and remediate.
We will credit you in our public disclosure (with your permission) once the vulnerability is resolved.
We commit to a 90-day disclosure timeline. We aim to resolve reported vulnerabilities within 90 days of the initial report. If we need more time, we will communicate this to you and agree on an extension. After 90 days, you are free to disclose publicly regardless of remediation status.

Scope

The following are in scope for vulnerability reports:

  • The Keryth application at chat.keryth.com
  • The Keryth API at app.keryth.com
  • The Keryth website at keryth.com
  • Authentication and authorisation logic
  • Document storage and access controls
  • Payment flow security

The following are out of scope:

  • Vulnerabilities in third-party services we use (report those to the relevant vendor)
  • Social engineering attacks against Keryth staff
  • Denial of service attacks
  • Spam or phishing campaigns not involving a technical vulnerability in our systems
  • Automated scanning results submitted without manual verification

PGP key

For sensitive reports, please encrypt your email to security@keryth.com using our public PGP key.

Key fingerprint CE8A 10CC 4A85 20F9 5301 DA4B 12CD 0A07 07F4 3D0D

You can retrieve the full public key by searching for security@keryth.com on keys.openpgp.org, or by contacting us and requesting it directly.

What to expect after reporting

72h
Acknowledgement of your report
7d
Initial assessment and severity classification
90d
Target resolution and coordinated public disclosure

This policy was last updated in April 2026. Questions about this policy can be directed to security@keryth.com.