Responsible Disclosure Policy

KLNR Labs P.S.A. welcomes the security research community. This policy explains how to report a security vulnerability in our systems, what you can expect from us, and the conditions under which we provide a good-faith safe harbour. It reflects our evidence-first ethos: we want verifiable findings, handled responsibly, with the legal privilege and confidentiality our users rely on respected at every step. Last updated [effective date]. — DRAFT, pending legal review.

WORKING DRAFT — modeled on industry best practice and adapted for KLNR; pending legal review before publication as binding. Fields [...] are completed by KLNR. English is the authoritative language of these documents.
These documents are provided in English, the authoritative language.

1. Purpose

KLNR Labs P.S.A. ("KLNR", "we", "us", "our") builds trustworthy tools for legal and professional work — including KLNR Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS and Bill, accessed through a single sign-on ("klnr-gate"). The security and integrity of these systems, and the confidentiality of the information our users entrust to them, are central to our mission.

We value the work of independent security researchers and believe that coordinated, good-faith disclosure makes everyone safer. This Responsible Disclosure Policy (the "Policy") sets out how you can report a vulnerability to us, the conduct we expect from you, what you can expect from us in return, and the legal safe harbour we offer to researchers who act in good faith and within the terms of this Policy.

This Policy is not a bug bounty programme and does not, by itself, create any entitlement to a monetary reward. Where a reward programme exists, its separate terms will govern eligibility and payment.

If a single vulnerability affects KLNR and one or more third-party services, we ask that you report it separately to each affected organisation so that each can carry out its own assessment and remediation.

A note on AI safety and model behaviour: issues such as model "jailbreaks", prompt-injection that influences model output, harmful or non-compliant responses, and other AI-safety concerns are important to us, but they are handled under a different process than technical security vulnerabilities. Please report those to [security@klnr.ai] with the subject line "AI Safety", and they will be routed to the appropriate team.

2. Scope of Systems

In scope. This Policy applies to internet-facing information systems, applications, APIs and websites that are owned or operated by KLNR, including:

  • the master domain klnr.ai and its sub-domains;
  • the product surfaces KLNR Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS and Bill;
  • the single sign-on service ("klnr-gate") and related authentication endpoints;
  • public APIs, integration endpoints and the e-signature (eIDAS) and e-invoicing (KSeF) interfaces operated by KLNR.

Out of scope. The following are not covered by this Policy, and testing against them is not authorised:

  • systems, sub-processors, hosting providers, contractors or other third parties operating under or alongside KLNR domains but not owned or operated by KLNR — these are governed by their own disclosure policies, which you must follow;
  • third-party software, libraries or platforms we merely use, except to the extent a vulnerability is exploitable specifically because of how KLNR has configured or deployed them;
  • physical facilities, offices, hardware and personnel of KLNR;
  • the email accounts, devices or property of KLNR employees, contractors or users.

If you are unsure whether a system is in scope, ask us first at [security@klnr.ai] before testing. We publish a machine-readable contact file in accordance with RFC 9116 at https://klnr.ai/.well-known/security.txt; please consult it for the current security contact and the latest scope signals.

3. Scope of Vulnerabilities

Qualifying vulnerabilities. We are interested in genuine, reproducible technical vulnerabilities that could affect the confidentiality, integrity or availability of in-scope systems or the data they hold, for example:

  • server-side and client-side injection (SQL injection, command injection, cross-site scripting / XSS);
  • authentication and authorisation flaws, including privilege escalation and insecure direct object references (IDOR);
  • cross-site request forgery (CSRF) on sensitive actions;
  • server-side request forgery (SSRF) and security misconfigurations;
  • directory or path traversal and unintended exposure of files or data;
  • exposure of secrets, credentials or personal data;
  • flaws that could undermine the integrity of e-signatures (eIDAS) or e-invoicing (KSeF) workflows.

Non-qualifying findings. The following are generally out of scope and, at KLNR's sole discretion, may be closed without further action. This list is illustrative, not exhaustive:

  • reports of "best practice" issues without a working proof-of-concept (e.g. missing security headers, SSL/TLS configuration, SPF/DKIM/DMARC observations);
  • missing cookie flags on non-sensitive cookies and clickjacking on pages without sensitive actions;
  • rate-limiting, brute-force or volumetric concerns on unauthenticated endpoints;
  • denial-of-service (DoS/DDoS) and resource-exhaustion attacks;
  • social engineering, phishing or pretexting against KLNR personnel or users;
  • physical attacks, or attacks requiring insider access or a compromised device;
  • reflected file download, self-XSS, and issues requiring an unlikely degree of user interaction;
  • account takeover relying on credential stuffing or already-breached passwords;
  • red-teaming or adversarial testing of AI models, and complaints about the content, accuracy or tone of model output (see Section 1 for AI-safety reporting);
  • dependency confusion / hijacking and other supply-chain theory without demonstrated impact on KLNR;
  • publicly disclosed ("n-day") vulnerabilities in third-party components for which a patch has been available for fewer than 30 days.

4. How to Submit a Report

Please send your report by email to [security@klnr.ai]. Where possible, encrypt sensitive details using the public key referenced in our security.txt (RFC 9116) file. A good report includes:

  • the vulnerability type and your assessment of its severity and potential impact;
  • the affected product, URL, endpoint or component (location);
  • a clear, step-by-step description that allows us to reproduce the issue;
  • minimal proof-of-concept material — scripts, requests/responses, screenshots or a short screen recording — sufficient to demonstrate the issue and no more;
  • any suggested remediation, and whether you intend to disclose the finding publicly.

Please submit one vulnerability per report, unless several issues must be chained together to demonstrate impact. Reports in English or Polish are welcome.

Handling of data in your report. Do not include real personal data, client documents or privileged legal material in your submission. If demonstrating the issue unavoidably exposed such data, tell us in general terms, do not copy or retain it, and we will work with you to validate the finding without further exposure. KLNR processes the personal data contained in your report (such as your contact details and technical evidence) to triage, validate and remediate the issue and to communicate with you; see Sections 8 and 9 for the regional details and your rights.

5. Your Conduct — Good-Faith Research Guidelines

To benefit from the safe harbour in Section 7, your testing and disclosure must be carried out in good faith and within the limits below.

You should:

  • test only to the minimum extent necessary to identify and demonstrate a vulnerability;
  • use only test accounts and test data that you own or are authorised to use;
  • stop testing as soon as you have established that a vulnerability exists, and report it promptly;
  • give us a reasonable opportunity to remediate before any disclosure.

You must not:

  • access, modify, download, exfiltrate, retain or destroy data that does not belong to you — confirming the existence of access is enough; do not browse, collect or copy further;
  • exploit a vulnerability beyond the minimum proof-of-concept needed to demonstrate it (PoC only);
  • degrade, disrupt or take down our services, or run DoS/DDoS or load-testing activity;
  • access, compromise or pivot through accounts, systems or data belonging to other users or third parties;
  • conduct social engineering, phishing or physical intrusion against KLNR, its personnel or its users;
  • publicly disclose, or share with any third party, details of a vulnerability before we have remediated it and agreed the timing with you;
  • demand payment, or threaten to disclose or withhold information, as a condition of reporting (such conduct is extortion and falls outside this Policy);
  • be a resident of, or located in, a country or region subject to comprehensive sanctions, or appear on any applicable sanctions or denied-party list (including EU restrictive-measures lists and U.S. OFAC lists);
  • violate any applicable law, or the rights of any third party, in the course of your research.

Coordinated disclosure. We respect your right to publish your research. We ask only that you coordinate the timing with us. As a default we aim to remediate and agree a public-disclosure date within 90 days of acknowledging a valid report, and we will keep you informed if more time is genuinely needed.

Confidentiality and professional secrecy. KLNR's users include lawyers and other professionals bound by professional secrecy and attorney–client privilege. If your research touches such material, you must treat it as strictly confidential, must not read or retain it, and must alert us immediately. Respecting this confidentiality is a condition of the safe harbour.

6. Your Expectations of Us

When you report in good faith under this Policy, we commit to:

  • acknowledge receipt of your report, typically within three (3) business days;
  • treat every good-faith report seriously and assess it promptly;
  • work to validate the issue and confirm our findings with you;
  • address, mitigate or remediate confirmed vulnerabilities in a timely manner appropriate to their severity;
  • keep you reasonably informed of our progress and the status of our investigation;
  • coordinate with you on a safe and reasonable public-disclosure timeline;
  • not seek to identify you and not disclose your identity to third parties without your consent, unless we are required to do so by law or valid legal process;
  • where you wish, publicly acknowledge your contribution;
  • not pursue or support legal action against you for research and disclosure conducted in accordance with this Policy (see Section 7).

7. Safe Harbour

KLNR considers security research and vulnerability disclosure carried out in accordance with this Policy to be authorised, lawful and welcome conduct. If you act in good faith and comply with this Policy, we will:

  • not bring or support any civil claim or criminal complaint against you arising from your research or disclosure;
  • regard your activity as authorised access for the purposes of laws that prohibit unauthorised access to computer systems, to the fullest extent permitted by applicable law (including, in the European Union, national implementations of the Directive on attacks against information systems, and in the United States, the Computer Fraud and Abuse Act and analogous state statutes);
  • where lawful, take steps to make clear to others that your conduct was authorised, if a third party brings action against you in connection with research conducted under this Policy.

This safe harbour is conditional. It does not apply if you breach this Policy, act in bad faith, attempt extortion, cause unnecessary harm, access or retain data beyond what is necessary to demonstrate a finding, or violate applicable law. The safe harbour cannot waive rights of third parties, and it does not authorise activity that any applicable law prohibits and cannot lawfully permit. If in doubt about whether an action is authorised, contact us at [security@klnr.ai] before proceeding, and we will work with you in good faith.

8. European Union — GDPR & EU Consumer Law Supplement

This Section applies where KLNR's processing of personal data in connection with this Policy is subject to Regulation (EU) 2016/679 ("GDPR") and to EU and Member-State consumer-protection law. KLNR Labs P.S.A., seated in Gdańsk, Poland, is an establishment in the European Union and acts as the single data controller for the KLNR group in respect of this Policy.

Controller and contacts. Controller: KLNR Labs P.S.A., [address], Gdańsk, Poland, registered under KRS [KRS], NIP [NIP], REGON [REGON], share capital [share capital]. General contact: [kontakt@klnr.ai]. Privacy matters: [privacy@klnr.ai]. Data Protection Officer: [DPO] at [dpo@klnr.ai].

What we process and why. When you submit a report we process the personal data you provide (such as name, email address and the technical evidence in your report) and any personal data unavoidably contained in proof-of-concept material. We use it to triage, validate, reproduce and remediate the vulnerability, to communicate with you, to credit you where you consent, to maintain security records, and to comply with our legal obligations.

Legal bases (Art. 6 GDPR). Our processing relies on: our legitimate interests in securing our systems and protecting our users (Art. 6(1)(f)); compliance with legal obligations, including security and breach-notification duties (Art. 6(1)(c)); and your consent where we publicly credit you (Art. 6(1)(a)). Where a report incidentally contains special-category data, we restrict processing to what is strictly necessary and delete it as soon as possible.

Your GDPR rightWhat it means here
Access, rectification, erasureYou may ask for a copy of, correction of, or deletion of the personal data we hold about you in connection with your report.
Restriction & objectionYou may object to processing based on legitimate interests and ask us to restrict it, subject to our security and legal needs.
PortabilityWhere processing is by consent or contract and carried out by automated means.
Withdraw consentYou may withdraw consent to public credit at any time, without affecting prior lawful processing.
Lodge a complaintYou may complain to the Polish supervisory authority (Prezes Urzędu Ochrony Danych Osobowych, UODO) or to your local EU/EEA authority.

Retention and transfers. We keep report-related data only as long as necessary to remediate the issue, evidence our handling, and meet legal obligations, after which we delete or anonymise it. Where data is transferred outside the EEA, we rely on an adequacy decision or appropriate safeguards such as the European Commission's Standard Contractual Clauses.

EU consumer law. Nothing in this Policy limits any mandatory rights you may have as a consumer under EU or Member-State law, including the Unfair Contract Terms Directive (93/13/EEC) and the Unfair Commercial Practices Directive (2005/29/EC). To the extent any term of this Policy would be unfair or unenforceable against a consumer, that term applies only to the extent permitted, and the remainder of the Policy continues in effect.

9. United States — CCPA/CPRA & State Privacy Supplement

This Section applies where KLNR's processing of personal information in connection with this Policy is subject to U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and comparable laws in states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA) and Utah (UCPA).

Categories and purposes. In handling your report we may collect identifiers (such as name and email address), internet/network activity contained in technical evidence, and professional information you choose to share. We use this personal information solely to triage, validate and remediate vulnerabilities, to communicate with you, to credit you where you permit, and to comply with law and protect our rights and systems.

No sale or sharing; no targeted advertising. KLNR does not sell your personal information and does not share it for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA. We do not use the personal information in your report for targeted advertising or to profile you, and we do not process sensitive personal information beyond the limited purposes permitted by law.

Your right (CCPA/CPRA and similar)What it means here
Know / accessRequest the categories and specific pieces of personal information we have collected about you.
DeleteRequest deletion of personal information we collected from you, subject to legal and security exceptions.
CorrectRequest correction of inaccurate personal information.
Opt out of sale/sharingNot applicable in practice because we do not sell or share your personal information.
Limit use of sensitive personal informationWe already limit such use to permitted purposes.
Non-discriminationWe will not discriminate or retaliate against you for exercising your rights.

How to exercise your rights. Contact [privacy@klnr.ai]. We will verify your request as required by law and respond within the statutory timeframes (generally 45 days under the CCPA/CPRA, extendable where permitted). You may use an authorised agent where the law allows.

Other U.S. consumer and computer-access law. The safe harbour in Section 7 is intended to authorise your good-faith research for the purposes of the federal Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA) anti-circumvention provisions to the extent applicable, and analogous state computer-crime and unfair-trade-practice statutes. Nothing in this Policy waives any non-waivable consumer right you may have under applicable U.S. state law.

10. Changes to this Policy

We may update this Policy from time to time to reflect changes in our systems, our practices or the law. The current version is always the one published at klnr.ai, and the "Last updated" date below indicates when it last changed. Any disclosure you make is governed by the version of the Policy in effect at the time of your report. Material changes will, where appropriate, be signalled in our security.txt (RFC 9116) file.

Questions about this Policy may be sent to [security@klnr.ai].

Last updated: [effective date].

KLNR Labs P.S.A. · Gdańsk, Poland · Home · DRAFT · 2026-06-13