Security & responsible disclosure

Last updated: May 14, 2026

We take security seriously and welcome reports from researchers acting in good faith. This page describes how to reach us, what we ask in return, and what you can expect from us.

How to report

Email security@completionkit.com. If you need to encrypt, request our PGP key in your first message.

Please include:

• A description of the vulnerability and where you found it (URL, endpoint, parameter).
• Steps to reproduce — concrete enough that we can validate.
• Any proof-of-concept code or screenshots that help.
• Your name and a contact handle for follow-up (optional but appreciated).

What we ask

• Don't access, modify, or delete data that isn't yours. Use a test account.
• Don't disrupt the Service — no DoS, no automated load testing.
• Don't share the vulnerability publicly until we've had a reasonable chance to fix it (we aim for 90 days; we'll coordinate if it needs longer).
• Don't social-engineer our team or our vendors.

What you can expect

• Acknowledgement within 3 business days.
• An initial assessment within 10 business days.
• Regular updates while we work on a fix.
• Public credit in our security acknowledgements after disclosure, if you'd like.

Safe harbour

If you make a good-faith effort to comply with this policy during your security research, we will consider your activity authorized and will not pursue civil or criminal action.

Out of scope

• Reports generated solely by automated scanners with no demonstrated impact.
• Issues already publicly disclosed.
• Self-XSS, clickjacking on pages without sensitive actions, missing security headers without a demonstrated exploitable impact.
• Vulnerabilities in third-party software unless you can show they're exploitable in our context.

Bounty

We don't run a paid bounty programme today. We're happy to offer swag and public credit for significant reports, and we'll revisit a paid programme as the company grows.

Machine-readable contact info: /.well-known/security.txt.