Vulnerability Disclosure Policy

Date of Last Policy Change: November 5th, 2023

At KnowledgeOwl, we take the security and integrity of our customer’s data seriously. As such, we welcome input from security researchers to ensure that, should any vulnerabilities in KnowledgeOwl arise, that they can be addressed quickly and effectively. However, to ensure that our customers are not impacted during any vulnerability discovery activities, please follow the terms below before testing for any vulnerabilities.

KnowledgeOwl pledges to not initiate any legal action against researchers that follow the terms below. 

We do not offer any monetary rewards (e.g. bounties) for vulnerabilities reported to us.


Please restrict any testing to the following sites:


Testing KnowledgeOwl customer sites is not allowed.

Creating 1 (one) trial account per researcher is allowed. Should a researcher require a second account, or should the trial period expire before testing is complete, please contact us.


Generally, please do not perform any activities that will negatively impact users or normal functionality of KnowledgeOwl. Additionally, the following actions are specifically restricted: 

  • Modification of data owned by other users 
  • Deletion or corruption of data owned by other users
  • Denial of service attacks
  • Social engineering attacks including phishing
  • Email bombing or similar high-volume attacks
  • Mass submissions to or scanning of our contact us or support forms
  • Creating large amounts of trial accounts

Please do not violate any laws or agreements in order to locate vulnerabilities.

Reporting a Vulnerability

Please report any details of the discovered vulnerability to the following email address:

The more details that the researcher is able to provide, the faster we will be able to respond to any vulnerabilities.

Vulnerability Acceptance and Remediation

KnowledgeOwl will make an effort to address every vulnerability report that is submitted to us. Following submission, we will attempt to reproduce the finding to ensure that it is valid and impactful and not a duplicate or previously accepted risk. Should the vulnerability be valid and require remediation, KnowledgeOwl will internally discuss what actions need to be taken and how the vulnerability will be remediated. We will endeavor to keep in contact with the security researcher during this process and provide updates on projected remediation timeline and will inform the researcher of vulnerability remediation. If the researcher wishes to disclose the discovered vulnerability publicly, we ask that they talk to us first, before disclosing the issue publicly.

We do not offer monetary bounties for accepted vulnerabilities. Researchers that report vulnerabilities to us may be eligible for addition to our hall of fame.

KnowledgeOwl is not accepting the following types of reports:

Reports of the following types are currently not eligible for KnowledgeOwl's Vulnerability Disclosure Program and will not be accepted.

  • Email Spoofing (including DMARC and SPF records)
  • Missing Security Headers (such as the HSTS header), unless the lack of such a header directly leads to a vulnerability
  • Sessions not expiring on security events, such as password changes
  • Password reset tokens not being invalidated by email changes
  • Clickjacking
  • Vulnerabilities that require odd or unlikely user interaction
  • Self-XSS
  • XSS in the contents of files uploaded to the file library, unless it can be exploited directly in the UI
    • For example, a report about an HTML file uploaded to the file library, that requires the user to open the file directly using the file's Cloudfront link would not be accepted
  • XSS reports for knowledge base frontends or frontend previews (e.g. iframes like those in the style settings). Only XSS reports for are accepted.
    • For example, XSS in the descriptions of categories or articles that executes only when viewing the knowledge base frontend or its previews (e.g. {knowledgebase} are not accepted.
  • Logout Cross-Site Request Forgery
  • Resource Flooding
  • Missing Rate Limiting
  • Weak Password Policy
  • EXIF Data Not Stripped on Images
  • Browser History Management
  • Host header injection, unless an exploit is demonstrated (such as cache-poisoning or XSS)
  • Missing Email Verification
  • User Account Enumeration
  • Missing Certificate Authority Authorization Record
  • Cross Domain Script Include
  • Open CVEs in third-party JavaScript libraries, unless an exploit is demonstrated
  • Missing DNSSEC Records


If you have any questions about our vulnerability disclosure policies or process, please feel free to email us at

Thank You!

KnowledgeOwl would like to thank the following security researchers for their contributions of vulnerability reports and ensuring that KnowledgeOwl can continue to protect the data of its users.



Volodymyr "Bob" Diachenko
Rohit Soni
Ritik Sahni
Abdelali Khalfi
Nayanjyoti Roy
Jayson Vasquez Rubio
Jeffrey Hoekema
Romel Lanza
Pethuraj M |
Priyanka Narayan
Soundar M
Yash Agarwal
Anon Tuttu Venus
Badal Sardhara
Mahendra Purbia Rajasthani Hacker
Nikhil Ahire
Yogeshwaran Chandrasekaran
Farah Hawa
Akshay Parse
Pritam Mukherjee
Robert Aaron
Mohamed Saqib C
Aamir Usman Khan
Jerry Thomas
Midhun S
Akhil Sabu
Nirjhar Banik
Agrah Jain
Akshay Gaikwad
Kartik Adak
Souvik Roy
Lokesh Goyal
Bindiya Sardhara
Midhun Mohanan
Harsh Vijaykumar Parasiya
Chirag Ketan Prajapati
Gourab Sadhukhan
Nitesh Pandey
Karan Keswani
Purbasha Ghosh
Nishant Narendra Lungare
Vikash Kumar
Shubham Kumar
Abhijit P. Mali
Praful Apuri |
Dhanumaalaian R |
Tejavardhan Vishwakarma
Akash Patil
Vani K G
Ramesh Kumar Sekar
Anshuman Prajapati
Pratik Khalane
Chetan Pathade
Souvik Mondal
Eeshwar Dronavalli
Sanidhya Ved
Kinshuk Kumar
Amit Kumar
Ali Hassan Ghori
Mohammed Wasim Khan
Saranya N
Maulik Vaidh
Jha kalpeshkumar D.
Rajvee Chauhan
Poonam Panchal
Niraj Mahajan
Shoeb Raseed Shaikh
Durgesh Patil
Alok Verma
Keyur Mehta
Ashutosh Raval 
Kartik Khurana
Dhruvin Shah
Patel Riya
Dharmishtha Mandhalkar
Vishal Vishwakarma
Sachin Kalkumbe
Saransh Saraf (MR23R0)
Bikash Kumar Prasad 
Pavan Saxena
Younghun Lee
Sidhu Mossewala
Yash Kushwah (@cyberyash951)
Milan Jain (Scriptkiddie) 
Yogesh Bhandage
Heidar Zeinalli
K.Rajesh Sagar
Abhinav Bansal