Responsible Disclosure Policy
Published: 2026-01-15 · Expires: 2027-01-15
We take security seriously and appreciate good-faith research. This page explains how to report vulnerabilities and what you can expect from us.
How to report a vulnerability
Send a report to security@rakomi.com. You may optionally encrypt your message with our PGP key.
- Describe the vulnerability and its potential impact
- Include steps to reproduce — a proof of concept is welcome
- Share your name / handle if you'd like public credit
- Do not include real user data or credentials in your report
We prefer reports in English or Polish.
Response SLAs
| Severity | Acknowledgement | Fix target |
|---|---|---|
| Critical (RCE, auth bypass, data leak) | 24 hours | 7 days |
| High (privilege escalation, SSRF) | 48 hours | 30 days |
| Medium (XSS, CSRF, info disclosure) | 5 business days | 60 days |
| Low (best-practice deviations) | 10 business days | 90 days |
Safe harbour
If you follow this policy in good faith, we will:
- Not pursue civil or criminal action against you
- Not refer your report to law enforcement
- Work with you to understand and remediate the issue quickly
- Credit you in our public disclosure (if desired)
Please do not access, modify, or delete data that does not belong to you. Use only test accounts you own. We operate in the EU — Polish and EU law applies.
Out of scope
- Denial of service (DoS/DDoS) attacks
- Social engineering or phishing of Rakomi employees
- Physical security
- Reports against third-party services in our sub-processor list
- Automated scanner output without manual verification
- Missing security headers that have no demonstrated impact
In scope
api.rakomi.com— authentication APIdashboard.rakomi.com— management dashboardrakomi.com— this landing page@rakomi/node— Node.js SDK (npm)
Authentication methods available on the platform include password sign-in, passwordless magic links, federated OAuth providers, time-based one-time passwords for multi-factor authentication, and phishing-resistant security credentials (passkeys). For passkeys we store only a public cryptographic identifier and minimal device metadata — no private key material and no raw device identifiers.
Hall of thanks
Researchers who have responsibly disclosed vulnerabilities to us will be listed here with their consent.
None yet — be the first.