At Kannamma Stories, the security of our website, our customers' data, and especially children's information is our top priority. We welcome and appreciate security researchers, ethical hackers, and concerned users who help us identify and fix vulnerabilities. This policy outlines how to responsibly report security issues to us.
1. Scope
This policy applies to security vulnerabilities found in:
- kannammastories.com — Our main website and all subdomains.
- Our web application, including user accounts, order flow, and checkout process.
- APIs and backend services that power our website.
- Our mobile-responsive web application.
Out of Scope:
- Third-party services we use (Cashfree, PayPal, Sanity CMS, Vercel, Google Analytics) — please report vulnerabilities in those services directly to the respective providers.
- Social engineering attacks against our team members.
- Physical security of our premises.
- Denial-of-service (DoS/DDoS) attacks — do not test for these.
- Spam or social engineering via our contact forms or WhatsApp.
2. How to Report a Vulnerability
If you discover a security vulnerability, please report it to us responsibly:
- Email us at: kannamma.stories@gmail.com
- Include the following details:
- A clear description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue.
- Screenshots, videos, or proof-of-concept code (if applicable).
- The URL(s) or endpoint(s) affected.
- Your name/handle (if you'd like to be credited).
- Use encrypted communication if the vulnerability involves sensitive data. We can provide a PGP key upon request.
3. What We Ask of You
- Do not access, modify, or delete data belonging to other users.
- Do not perform actions that could disrupt our service (DoS attacks, resource exhaustion, spam).
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
- Do not publicly disclose the vulnerability until we have had reasonable time to fix it (minimum 90 days, or until the fix is deployed — whichever comes first).
- Do not use automated scanning tools that generate excessive traffic or could impact site performance.
- Do act in good faith and avoid violating the privacy of our users, especially children's data.
- Do delete any data you may have accessed during your research once the vulnerability is reported.
4. Our Response Timeline
| Action | Timeline |
|---|
| Acknowledgment of your report | Within 48 hours |
| Initial assessment & severity classification | Within 7 days |
| Fix deployed (critical vulnerabilities) | Within 7 days |
| Fix deployed (high severity) | Within 30 days |
| Fix deployed (medium/low severity) | Within 90 days |
| Notification to reporter once fixed | Within 48 hours of fix |
5. Vulnerability Classifications
- Critical: Remote code execution, SQL injection, authentication bypass, exposure of customer/children's personal data, payment data exposure.
- High: Cross-site scripting (XSS) with data access, privilege escalation, server-side request forgery (SSRF), insecure direct object references (IDOR) with data exposure.
- Medium: Reflected XSS without data access, CSRF on non-sensitive actions, information disclosure (non-sensitive), open redirects.
- Low: Missing security headers, verbose error messages, outdated software versions without known exploits, clickjacking on non-sensitive pages.
6. Recognition & Acknowledgment
- We will publicly acknowledge and credit security researchers who report valid vulnerabilities (with your permission).
- We maintain a Security Hall of Fame on this page to recognize contributors.
- While we are a small business and do not currently offer monetary bug bounties, we deeply appreciate your help and will express our gratitude with Kannamma Stories merchandise and personalized thank-you products.
- We will never take legal action against researchers who act in good faith and follow this policy.
7. Safe Harbor
We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:
- Act in good faith and follow the guidelines in this policy.
- Avoid actions that could harm our users or disrupt our services.
- Report vulnerabilities promptly and do not exploit them beyond proof-of-concept.
- Do not access, store, or share data belonging to our users (especially children's data).
If you are unsure whether your research would comply with this policy, please contact us at kannamma.stories@gmail.com before proceeding.
8. Our Security Practices
We take the following measures to protect our platform and users:
- TLS/SSL encryption for all data in transit (HTTPS enforced across all pages).
- AES-256 encryption for sensitive data at rest.
- PCI DSS-compliant payment processing through Cashfree and PayPal (we never store card data).
- Regular dependency updates and security patches.
- Content Security Policy (CSP) headers to prevent XSS attacks.
- Rate limiting on authentication and API endpoints.
- Automated vulnerability scanning and monitoring.
- Principle of least privilege for all system access.
- Strict data handling policies for children's information (see our Privacy Policy).
9. Contact
For security-related reports and inquiries:
- Security Email: kannamma.stories@gmail.com
- General Email: kannamma.stories@gmail.com
- WhatsApp: +91-8341128359
Please use the security email for vulnerability reports. Do not report security issues via WhatsApp or social media, as these channels are not secure for sensitive information.
Related policies: Privacy Policy · Terms of Service
