Security Disclosure
Security Disclosure
Last Updated: February 25th, 2026
We Value Security Researchers
We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.
Our program is covered by HackerOne's industry standards, including Coordinated Vulnerability Disclosure, Safe Harbor, Core Ineligible Findings, and Detailed Platform Standards.
Scope
This policy applies to:
- kilo.ai and all its subdomains (*.kilo.ai)
- Kilo Code extensions (VS Code, JetBrains IDEs)
- Kilo Code CLI
- Source code at github.com/Kilo-Org/kilocode and github.com/Kilo-Org/cloud
Out of scope: Third-party services, vendor systems, and services not explicitly listed above.
How to Report
Please email your findings to security@kilo.ai. We will acknowledge your report and work with you to resolve the issue.