Security Disclosure

Vulnerability Reporting

If you identify a security vulnerability in our website, products, or services, please send a detailed report to info@knowhy.co. We will provide an initial response within 48 hours.

1. Scope

• knowhy.co main website and all subdomains (*.knowhy.co)
• E-Commerce AI Assistant, Informatic AI Assistant, and customer support platforms
• Knowhy Reporting, A2A Agent System, API services, mobile applications, and third-party integrations

2. Responsible Disclosure Policy

• Report the vulnerability by email to info@knowhy.co.
• Provide clear reproduction steps, potential impact, severity, and a PoC when possible.
• Keep the report confidential, allow reasonable time for remediation, and work only with your own test accounts and data.
• Do not access other people's data, cause service disruption, perform social engineering, or use the vulnerability commercially.

3. Reporting Process

• Acknowledgement: 0-48 hours
• Review and assessment: 2-7 days
• Remediation work: maximum 7 days targeted for critical findings and maximum 30 days for high-severity findings
• After remediation, we will inform you and may credit the researcher when appropriate.

4. Required Report Information

• Affected URL, IP address, or service name
• Vulnerability type, reproduction steps, screenshots/videos, or PoC
• Affected user roles, estimated impact, tools used, and your contact information

5. Our Security Measures

• SSL/TLS, DDoS protection, WAF, patch management, network segmentation, and real-time monitoring
• AES-256 encryption, data minimization, backups, anonymization, and data lifecycle management
• OWASP Top 10 alignment, secure SDLC, code review, SAST/DAST, dependency scanning, and vulnerability management
• MFA, RBAC, least privilege, session management, and access logs

6. Status Page and Transparency

System issues, incidents, planned maintenance, and security events are published at status.knowhy.co.

7. Out of Scope

• DoS/DDoS testing, physical security testing, and social engineering attacks
• Vulnerabilities in third-party services that do not belong to us
• Already known vulnerabilities that are under remediation
• Spam issues, low-impact information disclosures, and known issues in outdated software versions

8. Legal Safe Harbor

We will not put good-faith researchers at legal risk when they act in accordance with this policy and do not violate user privacy. We reserve our legal rights if these conditions are not followed.

9. Data Privacy and KVKK Compliance

• Information shared in security reports is processed in accordance with KVKK and GDPR principles.
• It is used only to assess and remediate the vulnerability.
• It is not shared outside authorized security personnel and is securely retained or destroyed after the process is complete.

10. Vulnerability Severity Levels

• Critical: CVSS 9.0-10.0, response 24 hours, remediation target 7 days
• High: CVSS 7.0-8.9, response 48 hours, remediation target 30 days
• Medium: CVSS 4.0-6.9, response 72 hours, remediation target 60 days
• Low: CVSS 0.1-3.9, response 7 days, remediation target 90 days

11. Contact

• Company: KNOWHY İLERİ TEKNOLOJİ TİCARET LİMİTED ŞİRKETİ
• Email: info@knowhy.co
• Status Page: status.knowhy.co
• Tax Office: Ataşehir
• Tax No: 5641406556
• Address: Barbaros Mah. Şebboy Sokak No:4/1 İç Kapı No:1 Ataşehir/İstanbul Dijitalpark Teknokent