Kinetics Plus LLC - Responsible Vulnerability Disclosure Policy

Responsible Vulnerability Disclosure Policy

Kinetics Plus LLC
Effective Date: 10/01/2025

1. Purpose

Kinetics Plus LLC is committed to maintaining the security of our systems and services. We welcome responsible disclosure of security vulnerabilities by independent researchers and provide this public policy to support coordinated and safe reporting.

2. Scope

This policy applies to:

  • Kinetics Plus LLC public-facing websites
  • Systems, applications, and services owned or operated by Kinetics Plus LLC
  • Microsoft 365 services used by our organization

Out of Scope

The following are not authorized for testing:

  • Third-party systems not owned by Kinetics Plus LLC
  • Customer or vendor systems
  • Physical testing or social engineering

3. Safe Harbor

Researchers acting in good faith and following this policy are authorized to perform limited testing for the purposes of identifying vulnerabilities. Kinetics Plus LLC will not pursue legal action for good-faith research aligned with this policy.

  • No exploitation beyond what is necessary to demonstrate the issue
  • No service disruption
  • No access, modification, or exfiltration of data
  • Immediate reporting of unintended access

4. Prohibited Activities

Researchers must not:

  • Access customer data or internal confidential information
  • Perform denial-of-service (DoS) attacks
  • Use malware, ransomware, or viruses
  • Perform phishing or social engineering
  • Attempt physical compromise of facilities or hardware

5. Reporting a Vulnerability

If you discover a potential security vulnerability, report it to us at:

Email: security@kineticsplusllc.com

Please include:

  • Description of the issue
  • Steps to reproduce
  • Proof of concept (if available)
  • Impact assessment

6. Response Commitments

  • Acknowledgment within 5 business days
  • Validation within 15 business days
  • Remediation prioritized by severity
  • Regular communication with the researcher

We request a 90-day coordinated disclosure period unless mutually agreed otherwise.

7. Bug Bounty Participation

While Kinetics Plus LLC does not operate a public bug bounty program, we are willing to participate in customer-required bug bounty programs as necessary.

8. Legal

By submitting a vulnerability report, you agree to comply with applicable laws and act in good faith. Safe harbor applies only if this policy is strictly followed.

9. Contact

For questions or clarifications about this policy, contact:
Kinetics Plus LLC – Security Team
security@kineticsplusllc.com

Vulnerability Reporting Submission