Security Disclosure Policy

Scope

This policy applies to security issues affecting services, systems, and software operated by Net Zero Labs, including assets reachable from kura.photos and its subdomains. We will update this list as our footprint changes.

How to report

Email security@kura.photos with a clear description of the issue. Where possible, include:

• Affected URL, endpoint, or component
• Step-by-step instructions to reproduce
• Proof-of-concept code, screenshots, or request/response logs
• Your assessment of impact and any suggested remediation

Please give us a reasonable amount of time to investigate and remediate before publicly disclosing details.

Safe harbor

We will not pursue legal action against researchers who, in good faith, follow this policy. That means: no privacy violations, no destruction of data, no degradation of service for other users, and no access beyond what is necessary to demonstrate the issue. If in doubt, ask us first.

Out of scope

• Denial-of-service or volumetric attacks
• Social engineering of staff, contractors, or users
• Physical attacks against offices, hardware, or personnel
• Reports based solely on outdated software versions, missing security headers, or automated scanner output without a demonstrable impact
• Findings on third-party services we do not operate (please report those upstream)

Response targets

We aim to:

• Acknowledge new reports within 3 business days
• Provide a triage assessment within 10 business days
• Keep you updated on remediation progress until the issue is resolved

These are targets, not guarantees, and may slip for complex issues or during holidays.

Contact

Send reports to security@kura.photos. Machine-readable contact details are also published at /.well-known/security.txt.