Get the apps

Security & Vulnerability Disclosure

RoxyKovu welcomes security research. This page documents how to report a vulnerability, what is in scope, what we commit to in return, and the security posture we maintain for our website and applications. Effective date: May 12, 2026. Last updated: May 12, 2026.

Found something? Email Support@roxykovu.com. We acknowledge within 2 business days.

RoxyKovu logo

1. How to report a vulnerability

Please include in your report: (a) a clear description of the issue, (b) reproduction steps or proof-of-concept, (c) the affected URL or application, (d) any prerequisites (e.g. an authenticated session), and (e) your assessment of severity. Screenshots or short video are welcome.

2. Scope

The following are in scope for responsible disclosure:

2.1 Out of scope

3. Our commitments to researchers

4. Severity and prioritization

We use a CVSS-informed severity scale and prioritize accordingly:

5. Safe harbor

RoxyKovu considers good-faith security research conducted under this policy to be authorized activity. If you make a good-faith effort to comply with this policy during your security research, we will:

To qualify for safe harbor you must: (a) report the issue to us before any public disclosure, (b) make a good-faith effort to avoid accessing, modifying, or destroying user data that is not your own, (c) avoid degrading service availability, (d) cease testing and notify us immediately upon discovering a vulnerability that exposes user data, (e) comply with all applicable laws, and (f) not engage in extortion or threats.

This policy applies only to vulnerabilities in RoxyKovu systems. If your research touches a third party (a customer's deployment, a vendor's service, etc.), you are responsible for ensuring you have authorization from that third party.

6. Security posture

A snapshot of the controls currently in place across our hosted services. This is provided as transparency to researchers and customers; specifics may change as the security posture evolves.

6.1 Hosting and transport

6.2 Browser security headers (site-wide)

6.3 Naval Letter Builder web tool (additional)

6.4 Data flow

6.5 Software supply chain

6.6 Architecture limits and known trade-offs

7. Compliance and standards

RoxyKovu is a commercial / open-source provider. We do not currently hold any third-party security certification. The list below is the public summary of the frameworks we align with and the operational controls we run. Specific scoring, gap data, asset detail, and incident-response runbooks are maintained internally and are not published.

7.1 Frameworks we align with

7.2 Continuous controls in production

7.3 Documented controls

We maintain the following operational documentation under version control. These are internal-only; the summaries are described here so customers and researchers understand the posture without exposing specifics:

7.4 Review cadence

7.5 What we deliberately do not claim

7.6 Publicly verifiable artifacts

Where possible, the controls above produce artifacts that anyone can fetch and verify:

8. Acknowledgments

Researchers who have responsibly disclosed vulnerabilities to RoxyKovu will be acknowledged here (with their permission). No reports to acknowledge yet. Be the first.

9. Policy updates

We may revise this policy at any time. The effective date at the top of this page reflects the most recent revision. Material changes will be announced via the News page. The machine-readable policy at /.well-known/security.txt is updated in lockstep.

10. Related policies

11. Contact