A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# SECURITY.TXT

Contact: security@kagi.com
Preferred-Languages: en
Hiring: https://help.kagi.com/kagi/company/hiring-kagi.html

Encrypted mail can be arranged where appropriate.

# Policy
- The security of Kagi's systems and data is our highest priority.
- If you plan to run large scale scans, please notify us first

# Bug Bounty
- Kagi operates a [Bug Bounty program](https://help.kagi.com/kagi/privacy/bug-bounty-program.html).
- The program is subject to the legal terms and conditions outlined in our [bounty Safe Harbor policy](https://help.kagi.com/kagi/privacy/safe-harbor.html).
- If you believe you've discovered a security or privacy vulnerability that affects Kagi services or software, please report it to our security contact above. We review all eligible research for Kagi Bug Bounty rewards.