Yinkozi
Contact
security

If you've found a security issue in our systems, tell us.

Yinkozi runs a clear, fast, no-bureaucracy disclosure process. Send a single email; we will respond within two business days. Safe-harbour applies for good-faith research conducted under this policy.

email
01 / how to report

One channel, written disclosure.

Send the report to email with the subject line Security disclosure.

Include:

  • The system or product affected (URL, asset, repository, deployment).
  • Reproduction steps, exact enough that a reviewer can trigger the issue.
  • The impact, in a sentence — what an attacker could do with this.
  • Your contact details and disclosure timeline expectations.
  • Whether you would like public credit and under what name.

For sensitive material, request our PGP public key in the first email — we will reply with it before you transmit anything sensitive.

02 / in scope

What we want to know about.

  • Yinkozi web properties

    yinkozi.com and any subdomain we operate, including the public web, contact endpoints, and any internal-facing surface that is reachable from the public internet.

  • YinkoShield product line

    YinkoShield runs its own disclosure surface at yinkoshield.com/security. Issues there can also be sent here and we will route them.

  • Open-source artefacts we publish

    Any code or analyzer we have published under the Yinkozi name. Issues in third-party dependencies should go upstream first; tell us if upstream is unresponsive.

03 / out of scope

What we do not need reported.

  • Customer environments. We do not own them, and we cannot accept reports about them — those go directly to the customer.
  • Findings from automated scanners without manual validation. SSL configuration warnings, missing security headers we have intentionally omitted, version-disclosure findings without an exploit path.
  • Volumetric or denial-of-service issues — please do not test these against us; describe theoretical concerns instead.
  • Social-engineering attacks against Yinkozi staff, customers, or third parties.
04 / response & safe harbour

What to expect from us.

First response within two business days. Often much faster.

Triage within five business days for confirmed issues — initial severity assessment and a working remediation timeline.

Disclosure coordination. We support responsible coordinated disclosure. The default window is 90 days from confirmation, extendable by mutual agreement when the issue requires more time to fix safely.

Safe-harbour. We will not pursue legal action against good-faith researchers who comply with this policy: do not exfiltrate data beyond proof-of-concept, do not access other users' accounts, do not affect availability, and report promptly. If in doubt, ask us first.

Public credit. We name researchers in the disclosure write-up if you would like — we will not name you against your will.