Security

Responsible disclosure for Konduit.

If you believe you have found a security issue in Konduit, send enough detail for the team to reproduce and assess it safely.

Disclosure intake

Send reports to security@konduit.gg. Please include only the information needed to validate the issue.

What to include

  • Email security@konduit.gg with a clear summary, affected surface, impact, and reproduction steps.
  • Avoid accessing data that is not yours, disrupting service, or sharing details publicly before coordination.
  • We will review the report, ask for clarification when needed, and coordinate remediation before public disclosure.

Konduit keeps TLS validation enabled. Reports about transport, authentication, or credential handling are welcome through the same intake.

Responsible disclosure

Send security reports to security@konduit.gg with scope, impact, and reproduction steps.

Encrypted sensitive storage

Sensitive OAuth and account material follows the secure-storage allowlist architecture.

Dependency posture

Launch checks include npm audit review, secret scanning, and a Snyk evaluation path.

Telemetry is gated

Sentry capture stays inert until the marketing-site DSN is provisioned, and events are sanitized before leaving the site.

Transport posture

Konduit keeps TLS verification enabled. Security reports about certificate handling, downgrade risk, redirects, or transport assumptions should include affected URL, environment, and reproduction steps.

Sensitive storage architecture

OAuth tokens, refresh tokens, JWTs, and secrets are routed through the encrypted-at-rest sensitive-key architecture with allowlisted key names. Plaintext credential storage paths are outside launch policy.

OAuth exchange model

Connected platform flows use scoped OAuth permissions and one-time exchange patterns where platforms support them. Do not send access tokens in screenshots unless the report requires it.

Scanning and roadmap

Launch verification includes npm audit review and secret-scanning posture. Snyk evaluation is planned after launch hardening, and no Sentry-specific product telemetry is enabled at launch.