KiheiRoad
//Legal

Securitydisclosure.

Effective · 2026-06-02 · Version 1.0

Plain-English summary. If you find a security vulnerability in KiheiRoad, submit it through the contact form on the landing page. We will respond within 48 hours, fix high-severity issues within 30 days, and credit you in a security advisory if you want. Good-faith researchers operating under this policy have legal safe harbor. A formal bug bounty program with monetary rewards is coming soon.

  1. // 01

    Scope

    This policy applies to security vulnerabilities affecting KiheiRoad-owned systems, including (a) the kiheiroad.com web application and all subdomains; (b) the KiheiRoad backend API at api.kiheiroad.com; (c) infrastructure operated directly by KiheiRoad. It does NOT apply to (a) third-party services we integrate with (report those to the respective vendor — Turnkey, Stripe, Resend, Sentry, Anthropic, Hyperliquid, AWS); (b) general crypto trading risks or smart-contract bugs in Hyperliquid; (c) issues affecting only individual user devices or accounts (those go through standard support).

  2. // 02

    How to report a vulnerability

    Submit reports through the contact form on the landing page, marked clearly as a security report. Include: (a) a clear description of the vulnerability; (b) steps to reproduce; (c) the potential impact and affected systems; (d) any proof-of-concept code or screenshots (avoid including actual user data); (e) your preferred contact channel for follow-up; (f) whether you intend to publicly disclose and on what timeline. We will acknowledge receipt within 48 hours and provide an initial assessment within 7 calendar days.

  3. // 03

    Safe harbor for good-faith researchers

    If you make a good-faith effort to comply with this policy, KiheiRoad will not initiate or support legal action against you for security research activities that (a) follow this policy; (b) avoid accessing, modifying, or destroying user data; (c) do not degrade service availability; (d) provide reasonable time for us to fix the issue before any public disclosure (typically 90 days, longer for severe issues requiring infrastructure changes); (e) do not extort, blackmail, or coerce KiheiRoad or any third party. This safe harbor does not apply to activities that violate criminal law, harm users, or constitute extortion.

  4. // 04

    What is in scope

    Examples of in-scope vulnerabilities include (a) authentication or authorization bypasses; (b) SQL injection, NoSQL injection, command injection; (c) cross-site scripting (XSS), CSRF on state-changing endpoints; (d) sensitive data exposure (private keys, session tokens, credentials, PII in logs); (e) server-side request forgery (SSRF); (f) remote code execution; (g) insecure direct object reference allowing access to another user's data; (h) signing-flow vulnerabilities that could let an attacker fire trades from a user's wallet; (i) any issue that could materially compromise the integrity of risk-cap enforcement.

  5. // 05

    What is NOT in scope

    The following are NOT eligible for bounty consideration: (a) self-XSS that requires social engineering of the victim; (b) clickjacking on pages with no sensitive actions; (c) missing best-practice headers without demonstrable impact (e.g., CSP suggestions); (d) findings from automated scanners without manual validation; (e) general feedback about user experience or design; (f) issues affecting outdated browsers or unsupported software; (g) denial-of-service via volumetric attack; (h) social engineering of KiheiRoad staff or users; (i) physical attacks on KiheiRoad property or staff.

  6. // 06

    Disclosure timeline

    Our typical workflow upon receiving a valid report: (a) within 48 hours — acknowledgment; (b) within 7 days — initial severity assessment and triage; (c) within 30 days — fix or remediation deployed for high/critical issues, longer windows possible for issues requiring architectural changes; (d) public disclosure occurs after the fix is deployed and users have had reasonable time to update. We will credit researchers who wish to be named in a security advisory upon resolution. Researchers may also publicly disclose on their own schedule, provided they meet the safe-harbor terms.

  7. // 07

    Bug bounty

    A formal bug bounty program with monetary rewards is planned but not yet operational. When it launches, we will publish a separate bounty schedule with severity tiers and reward amounts. In the interim, valid reports will be credited (with researcher consent) in security advisories and post-launch we will retroactively consider notable pre-program reports for ex gratia rewards.

Terms of servicePrivacy policyRisk disclosureAcceptable use policy

// version 1.0 · pending final legal review prior to public launch