A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# SECURITY.TXT

Contact: mailto:vprelovac@kagi.com
Hiring: mailto:vprelovac@kagi.com
Canonical: https://kagi.com/.well-known/security.txt

The security of Kagi's systems and data is our highest priority.

We have had our security independently audited (https://blog.kagi.com/security-audit) by Illumant (https://www.illumant.com).

The audit found Kagi to be "Highly Secure" with "…no findings of material significance. This indicates that the organization’s applications, systems, networks and data are well protected."

## Kagi Bug Bounty Program

If you believe you’ve discovered a security or privacy vulnerability that affects Kagi services or software, please report it to our security contact (vlad@kagi.com). We review all eligible research for Kagi Bug Bounty rewards.

The Kagi Bug Bounty Program is subject to the legal terms and conditions outlined in our bounty Safe Harbor policy (https://help.kagi.com/kagi/privacy/safe-harbor.html).