1. Introduction
Kronisys Inc. ("Kronisys," "we," "us," or "our") takes the security of the Strata platform and the trust of its users seriously. We appreciate the work of security researchers in identifying and responsibly disclosing vulnerabilities. This Security and Responsible Disclosure Policy ("Policy") describes how to report a security issue to us and the protections we offer to researchers who act in good faith.
This Policy applies to the Strata platform, our website, and related services (collectively, the "Services") operated by Kronisys. It does not apply to third-party services, subprocessors, or systems we do not control.
2. How to Report a Vulnerability
If you believe you have discovered a security vulnerability in the Services, please report it to us by email at legal@kronisys.com with the subject line "Security Report".
Information to include
To help us triage and reproduce the issue quickly, please provide:
- A clear, written description of the vulnerability and its potential impact
- The affected URL, endpoint, component, or feature
- Step-by-step reproduction instructions, including any required preconditions
- Proof-of-concept code, payloads, screenshots, or video where helpful
- Your name and contact information (or an alias you wish to be credited as)
- Any related CVEs, references, or prior disclosures
Please use OpenPGP or another encrypted channel if your report contains sensitive details. If you need our public key, request it in your initial message and we will respond.
3. Safe Harbor
Kronisys considers good-faith security research conducted in accordance with this Policy to be authorized conduct under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and analogous state and foreign laws. Subject to the conditions below, Kronisys will not:
- Initiate or support any law enforcement investigation against you for your research
- File a civil lawsuit against you in connection with your research
- Seek to enforce against you any provision of our Terms of Service or Usage Policy that would otherwise prohibit the research activities
This safe harbor applies only to security research that:
- Is conducted in good faith and is consistent with this Policy
- Stays within the scope defined in Section 4 (Scope) and avoids the prohibitions in Section 6 (Researcher Conduct)
- Reports the vulnerability to Kronisys promptly and gives us a reasonable opportunity to remediate before public disclosure, in accordance with Section 8 (Coordinated Disclosure)
- Does not violate the privacy, intellectual property, or other legal rights of Kronisys, our users, or any third party
- Does not violate any law other than those for which Kronisys grants authorization above
If you have a question about whether a planned activity is within the scope of this Policy, please contact us at legal@kronisys.com before you act. We will work with you in good faith to clarify scope. Authorization is granted only to the extent stated in this Policy; we cannot waive the rights of third parties, and this safe harbor does not extend to third-party systems even when reached through the Services.
4. Scope
The following Kronisys-operated assets are in scope:
- Strata application:
app.strata.kronisys.com and any subdomains owned by Kronisys
- Strata API endpoints served from the application above
- Strata marketing and documentation site:
strata.kronisys.com
- Kronisys corporate website:
kronisys.com
Vulnerability classes generally considered in scope include, without limitation:
- Authentication and authorization bypasses, privilege escalation, and broken access control
- Cross-tenant data exposure, including isolation failures between organizations
- Server-side request forgery (SSRF), remote code execution (RCE), and command injection
- SQL injection, NoSQL injection, and other injection vulnerabilities
- Cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking with demonstrated impact
- Insecure direct object references (IDOR) and broken function-level authorization
- Sensitive data exposure (credentials, tokens, personally identifiable information)
- Cryptographic flaws and weaknesses in our use of encryption
- Business-logic flaws with material security impact
5. Out of Scope
The following are out of scope and will generally not be eligible for safe harbor or recognition:
- Third-party services, subprocessors, or dependencies not controlled by Kronisys (e.g., Microsoft Azure, Microsoft Foundry, OpenAI, Anthropic, xAI, Microsoft 365 services). Vulnerabilities in these systems should be reported to the respective vendor.
- Reports that depend on social engineering, phishing, or pretexting attacks against Kronisys employees, contractors, customers, or users
- Physical attacks against Kronisys offices, equipment, or personnel
- Denial-of-service (DoS), distributed denial-of-service (DDoS), brute-force attacks, or volumetric testing of any kind
- Reports generated solely by automated scanners without demonstration of a real, exploitable impact
- Missing or weak security headers, cookie flags, TLS configuration findings, or SPF/DKIM/DMARC findings without demonstrated impact
- Self-XSS, login or logout CSRF on pages with no state-changing effect, and similar low-impact issues
- Rate-limit absence on actions with no security impact
- Outdated software versions absent a working exploit demonstration
- Reports about AI model outputs (hallucinations, biased responses, jailbreaks) that do not result in unauthorized access to data or systems
- Username enumeration on public sign-up or login pages
- Issues requiring physical access to a victim's unlocked device or browser session
- Issues in software no longer under active support
6. Researcher Conduct
To remain within the scope of this Policy and the safe harbor in Section 3, you agree that you will not:
- Access, modify, exfiltrate, retain, or destroy data belonging to Kronisys, our customers, or any third party beyond what is strictly necessary to demonstrate the vulnerability
- Use a discovered vulnerability to pivot into other systems or escalate access beyond what is necessary to confirm the issue
- Disrupt, degrade, or interfere with the operation of the Services or any third-party service
- Use automated scanners or tools that generate significant traffic or that may impact availability
- Perform any testing on accounts you do not own and do not have explicit permission to test, except by using a test account you create
- Disclose the vulnerability to any third party before Kronisys has had a reasonable opportunity to remediate it (see Section 8)
- Demand payment, threaten disclosure, or otherwise engage in extortion in connection with a report
- Violate any law (other than those for which Kronisys grants authorization in Section 3) or the rights of any person
Researchers who exceed the scope of authorized activity, or who fail to comply with this Policy, forfeit safe-harbor protection and may be subject to legal action.
7. Our Commitments
When you submit a report in accordance with this Policy, Kronisys will:
- Acknowledge receipt of your report within five (5) business days
- Triage the report and provide an initial assessment, including severity and likely next steps, within fifteen (15) business days
- Communicate in good faith and keep you informed of progress at reasonable intervals throughout remediation
- Remediate validated vulnerabilities on a timeline appropriate to severity, prioritizing those with the highest user impact
- Credit you for your research, where appropriate and with your consent, in our Security Hall of Thanks (see Section 9)
- Not pursue legal action against good-faith researchers who comply with this Policy
8. Coordinated Disclosure Timeline
Kronisys follows a coordinated-disclosure model. We ask researchers to give us a reasonable opportunity to remediate before publicly disclosing a vulnerability.
- Default disclosure window: ninety (90) days from the date Kronisys acknowledges the report.
- Extensions: we may request an extension if the issue is complex, affects a third-party component, or otherwise requires additional time. We will explain the reason and propose a revised date.
- Active exploitation: if a vulnerability is being actively exploited, we may accelerate remediation and may publish guidance more quickly.
- Coordinated public statement: we encourage researchers to coordinate the timing and content of any public statement, advisory, or CVE filing with us, and we will collaborate on credit and language where appropriate.
Publishing a vulnerability before remediation, or before the coordinated disclosure window expires, may forfeit safe-harbor protection under Section 3.
9. Recognition
Kronisys does not currently operate a paid bug-bounty program. We provide recognition for valid, in-scope reports in the following ways:
- Public acknowledgment in our Security Hall of Thanks (with your consent and at your preferred name or alias)
- A written letter of acknowledgment on Kronisys letterhead, on request, suitable for inclusion in a portfolio or resume
If Kronisys launches a paid bug-bounty program in the future, the terms of that program will be published separately. Submitting a report under this Policy does not entitle you to compensation, and no offer of compensation should be inferred from this Policy.
10. Confidentiality
By submitting a report, you agree to keep the existence and content of the vulnerability confidential until the earlier of (a) Kronisys's notice that remediation is complete or (b) expiration of the disclosure window described in Section 8, except as required to coordinate disclosure with Kronisys.
Kronisys will treat your report and your identity as confidential and will not share them with third parties without your consent, except as required by law, by court order, or as necessary to investigate or remediate the vulnerability (for example, with affected service providers).
11. No Warranty; No Waiver of Third-Party Rights
This Policy reflects Kronisys's commitments to researchers acting in good faith. It does not create a contract, an employment relationship, or any other legal obligation beyond what is expressly stated. Kronisys makes no warranty regarding the safety, success, or outcome of any research activity and disclaims any liability for incidental or consequential damages arising from research conducted under this Policy.
Nothing in this Policy waives the rights of any third party or authorizes activity that would violate the rights of any third party. The safe harbor described in Section 3 is granted only by Kronisys and only with respect to systems and conduct within its control.
12. Changes to This Policy
Kronisys may update this Policy from time to time. Material changes will be reflected in the "Effective" date at the top of this page. Reports submitted before a change are governed by the version of the Policy in effect at the time of submission.
13. Contact
To report a vulnerability or ask a question about this Policy, contact: