Kochi
KochiSign in
Legal

Responsible Disclosure

We welcome security research that helps protect Kochi and our customers. Please report issues privately so we can investigate and fix them before public disclosure.

Last updated April 21, 2026

To report a vulnerability, email support@kochi.so with the subject line Responsible Disclosure: Kochi followed by a short description of the issue. If you prefer, include the subject line in that exact format and add your summary after the colon.

Please include enough detail for us to reproduce and assess the issue safely. The most useful reports include the affected page or endpoint, the steps to reproduce, the impact, and any screenshots, logs, or request samples that make the problem easier to verify.

Scope

This program covers Kochi-operated public surfaces, including the marketing site, application workflows, APIs, authentication and authorization paths, and any other service we control directly. Third-party services are in scope only to the extent they are part of a Kochi-managed integration and you are testing the Kochi side of that boundary.

Issues that only affect an external provider, or that require unauthorized access to a third-party account, are outside this program.

What to include

  • A clear summary of the issue and the affected URL, endpoint, or feature.
  • Step-by-step reproduction instructions.
  • The impact you believe the issue has, including any security or privacy effect.
  • Screenshots, short video, request/response samples, or timestamps if they help.
  • Any account or role context needed to reproduce the issue safely.

Safe harbor

If you act in good faith, follow this policy, avoid data exfiltration, and give us a reasonable chance to fix the issue before public disclosure, we will treat your research as authorized security testing and not pursue legal action for the report itself. Please keep testing proportionate and limited to what you need to demonstrate the issue.

Prohibited testing

  • Do not exfiltrate, modify, or delete customer data.
  • Do not access data that is not yours or that you are not authorized to test.
  • Do not perform denial-of-service, spam, credential-stuffing, or other availability attacks.
  • Do not use social engineering, phishing, or physical intrusion.
  • Do not test third-party systems that Kochi does not operate or control.

Response commitments

We aim to acknowledge reports within 2 business days and will keep you informed as we triage and remediate. If a report is valid and actionable, we will work toward a fix based on severity and operational impact.

We may ask for clarification, reproduce the issue in a controlled environment, or coordinate timing around a fix. Please avoid public disclosure until we have had a reasonable chance to respond.

Exclusions

This policy does not create a bounty program or payment obligation. Any reward, bounty, or special recognition must be set out in a separate written agreement signed by Kochi.

Routine support questions, feature requests, and non-security bug reports should still be sent to support@kochi.so, though they may be handled through standard support channels instead of this disclosure process.

Related legal docs

See also Privacy, Terms, Cookies, and DPA.

Date: April 21, 2026. Legal entity: FamilytalkGPT Inc. Product and service name: Kochi. Governing law: Delaware.