← Back to home

Security Disclosure Policy

Last updated: March 17, 2026

Our Commitment

At Knod, Inc., the security of Codemend and the data entrusted to us is a top priority. We appreciate the work of security researchers and the broader community in helping us maintain a secure product. If you believe you have found a security vulnerability, we encourage you to disclose it responsibly.

How to Report a Vulnerability

Please report security vulnerabilities by emailing our security team directly:

  • Email: security@codemend.ai
  • Include a clear description of the vulnerability and the potential impact
  • Provide reproduction steps or a proof-of-concept if possible
  • Include any relevant screenshots, logs, or supporting material
  • Let us know if you would like credit for the discovery

Please do not disclose the vulnerability publicly until we have had an opportunity to investigate and address it.

What We Commit To

  • Acknowledgment within 48 hours — We will confirm receipt of your report and provide an initial assessment within 48 hours
  • Critical issues addressed within 7 days — For vulnerabilities that pose an immediate risk to user data or service integrity, we commit to deploying a fix within 7 days of confirmation
  • Transparent communication — We will keep you informed of our progress and notify you when the issue has been resolved
  • No legal action — We will not pursue legal action against researchers who discover and responsibly disclose vulnerabilities in good faith

Responsible Disclosure Guidelines

We ask that security researchers:

  • Give us reasonable time to investigate and fix the issue before any public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or other disruptive testing
  • Do not use social engineering techniques against our team or users
  • Do not exploit vulnerabilities beyond what is needed to demonstrate the issue

Scope

In-scope for vulnerability reports:

  • codemend.ai and all subdomains
  • The Codemend web application and dashboard
  • The Codemend public API (api.codemend.ai)
  • The codemend-ai npm SDK

Out of scope:

  • Vulnerabilities in third-party services we rely on (Supabase, Anthropic, Stripe, etc.) — please report those directly to those vendors
  • Issues that require physical access to a user's device
  • Social engineering of users

Bug Bounty

We do not currently operate a paid bug bounty program. We are grateful for responsible disclosures and will acknowledge researchers by name (if desired) in our security acknowledgments. We may offer account credits or other recognition at our discretion.

Contact

Codemend is a product of Knod, Inc. For security concerns:

See also: Terms of Service · Privacy Policy · Data Processing Agreement