Security Disclosure Policy
Scope
This policy applies to the digital services of the Principality of Kaharagia. It covers any service hosted under kaharagia.org, its subdomains, and services operated by the Principality under other domains (including those operated by the Káhareži Fondazár where the underlying service is Kaharagian).
The Principality maintains a security.txt file at each public-facing service describing the relevant contact and the canonical URL of this policy.
How to Report
If you believe you have found a security vulnerability affecting a Kaharagian service, please contact the Office of Digital Government & Cybersecurity:
Office of Digital Government & Cybersecurity, Secretariat of State
securitykaharagiaorg
Please describe the issue, the steps required to reproduce it, the affected service or URL, and any proof of concept you can provide. If you are reporting on behalf of an organisation, indicate so. If you wish to remain anonymous, you may, though this limits our ability to acknowledge your work and to ask follow-up questions.
If the matter is particularly sensitive, you may request an encrypted channel before sharing details. A PGP key is available on request.
What We Ask of You
In order for a report to be received under this policy, please:
- Make every reasonable effort to avoid privacy violations, degradation of service, destruction or alteration of data, and interruption of operations.
- Only interact with accounts you own or have explicit permission to access.
- Refrain from publicly disclosing the vulnerability until we have had a reasonable opportunity to investigate and remediate.
- Do not engage in social engineering, physical attacks, denial-of-service testing, or any conduct that would cause harm to nationals or to third parties.
- Do not use automated scanners against production services without prior arrangement.
Researchers who act in good faith and within the bounds of this policy will not have their conduct treated as a hostile act against the Principality.
What You Can Expect
When you submit a report:
- We will acknowledge receipt within one business day.
- We will provide an initial assessment within five business days.
- We will keep you informed of progress at reasonable intervals.
- We will tell you when the matter is resolved, and when we have published any associated advisory.
- If you wish, and if your report meets the criteria below, we will list you on the Security Acknowledgments page.
We do not currently operate a paid bug bounty programme. Acknowledgment is the recognition we are able to offer.
Out of Scope
The following are generally out of scope under this policy:
- Reports generated solely by automated scanners without manual validation
- Missing security headers without a demonstrated impact
- Issues affecting end-of-life software or services that have been formally retired
- Theoretical vulnerabilities without a practical attack path
- Denial-of-service attacks or resource-exhaustion testing
- Social engineering of Kaharagian personnel or nationals
- Physical attacks on infrastructure
- Issues affecting third-party services that we use but do not operate (please report to the relevant vendor)
If you are unsure whether a particular concern is in scope, please ask.
Confidentiality and Coordinated Disclosure
We work on a coordinated-disclosure basis. We ask researchers not to make their findings public until we have had a chance to remediate. We will agree a disclosure timeline with you on a case-by-case basis, ordinarily within ninety days of the initial report, but earlier or later by mutual agreement.
Where a vulnerability affects nationals' data or essential services, we may publish an advisory in the Royal Kaharagian Gazette following remediation. Researchers may be named in such advisories with their consent.
Legal Position
The Principality of Kaharagia regards good-faith security research that follows this policy as authorised conduct. We will not pursue legal action against researchers who act in accordance with it. This policy does not, however, grant authority to act against systems operated by third parties or to violate the laws of any other state.
Review
This policy is reviewed on an annual basis, or sooner if the Principality's services or its security practices change materially.