Scope
Report vulnerabilities in changelog.gg, public API routes, account and dashboard flows, Discord OAuth or bot integration, billing integration issues, and security.txt issues to security@kordu.gg.
Include the affected URL, steps to reproduce, impact, screenshots or logs where useful, and a safe contact address.
Do not include personal data, secrets, tokens, payment data, or third-party confidential information in a report unless it is strictly necessary to demonstrate impact and you have minimised it.
Safe harbour
KORDU LTD treats good-faith research as authorised security research when it stays within this policy, avoids privacy violations, avoids data destruction, avoids persistence, avoids service disruption, and gives us a reasonable time to investigate before disclosure.
This is not a bounty program and does not promise payment, credits, public acknowledgement, or a response within a fixed time.
Out of scope
Do not run denial-of-service tests, spam Discord servers, attack users or third-party providers, access data that is not yours, use leaked credentials, bypass payment for paid use, or test physical, social, or phishing attacks.