Legal ยท Security

Security Policy

Last updated: May 21, 2026

Reporting a vulnerability

Email admin@kumand.com with the subject line "Security Vulnerability Report." Include reproduction steps, affected URL or endpoint, and your contact information. We acknowledge reports within 2 business days.

What this policy covers

This policy applies to security vulnerabilities discovered in any service operated under the kumand.com domain or its subdomains, including the Kumand platform, the public marketing site, the client intake flow, and any event vendor or venue subdomain we host. It also applies to vulnerabilities in the underlying infrastructure when those vulnerabilities can be exploited through a Kumand-controlled surface.

Safe harbor

We will not pursue civil or criminal action against security researchers who:

  • Act in good faith to identify and report vulnerabilities.
  • Avoid privacy violations, destruction of data, and degradation of service.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate impact.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Comply with all applicable laws.

Scope

In scopeOut of scope
kumand.com and subdomainsThird-party services we link to but do not operate
API endpoints under /api/Social engineering of staff or customers
Authentication and session managementPhysical security of office or data centers
Data exposure of user informationDenial of service against production traffic
Server-side request forgery, injection, XSSAutomated scanner output without manual verification

Out-of-scope reports we will not act on

  • Missing security headers without a demonstrated exploit chain.
  • Verbose error messages without a clear path to data exposure.
  • Self-XSS that requires the victim to paste code into their own browser console.
  • Vulnerabilities in third-party software we have not patched yet but have a maintenance window scheduled for.
  • Reports based on outdated software versions where a fix is already deployed in production.

Response timeline

We aim to:

  • Acknowledge your report within 2 business days.
  • Confirm reproduction and assign severity within 7 business days.
  • Resolve critical vulnerabilities within 30 days; lower severity items on a risk-prioritized schedule.
  • Notify you when the issue is resolved and credit you in our security acknowledgments if you wish.

Bounty

We do not currently operate a paid bug bounty program. We do publicly credit researchers in our security acknowledgments page when they consent to disclosure.

PGP / signing

If you need to send sensitive details encrypted, request our PGP public key via the same email address. We will respond within one business day with the key.

Questions?
Tactical Marketing Pro LLC
1000 Main St, Ste 2300, Houston, TX 77002
admin@kumand.com

This document describes Tactical Marketing Pro LLC's current practices for the Kumand platform at kumand.com. It is not legal advice. Your rights under applicable law may exceed what is described here.