← Back to Kentral

Security

Last updated: April 25, 2026  ·  Krownlabs LLC

Security is a core part of how we build Kentral. This page describes our security practices and how to report vulnerabilities responsibly.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in Kentral, please report it to us privately. Do not open a public GitHub issue or disclose the vulnerability publicly before we have had a chance to investigate and remediate.

Email your report to: security@kentral.io

Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce or proof-of-concept (screenshots, logs, curl commands).
  • Any affected URLs, endpoints, or components.
  • Your contact information for follow-up questions.

We will:

  • Acknowledge your report within 2 business days.
  • Provide an initial assessment and expected remediation timeline within 7 business days.
  • Notify you when the issue is resolved.
  • Credit you in our acknowledgements (unless you prefer to remain anonymous).

Scope

In-scope targets for vulnerability reports:

  • kentral.io and all subdomains
  • Kentral web application and API
  • Kentral GitHub App and Slack integration

Out-of-scope:

  • Denial-of-service attacks
  • Social engineering or phishing attacks against our staff
  • Vulnerabilities in third-party services we integrate with (report those to the respective vendor)
  • Issues requiring physical access to a user's device

Our Security Practices

  • Encryption at rest — sensitive data (API keys, OAuth tokens) is encrypted using AES-256-GCM. Passwords are hashed with a modern adaptive hashing algorithm; we never store plaintext passwords.
  • Encryption in transit — all traffic is served over HTTPS/TLS 1.2+.
  • Authentication — we support email/password, magic links, GitHub OAuth, Google OAuth, and TOTP two-factor authentication.
  • Session management — sessions use secure, HttpOnly, SameSite=Lax cookies with a 30-day expiry and are invalidated immediately on sign-out.
  • Rate limiting — authentication endpoints are rate-limited to mitigate brute-force attacks.
  • Least privilege — workspace role-based access controls limit what each user can read and modify.
  • Dependency management — we regularly audit and update dependencies for known vulnerabilities.

Responsible Disclosure Policy

We ask that researchers act in good faith and do not:

  • Access, modify, or delete data belonging to other users.
  • Perform actions that could disrupt the service for other users.
  • Publicly disclose the vulnerability before we have released a fix.

We commit to not pursue legal action against researchers who follow this policy in good faith.

For general privacy questions, see our Privacy Policy. For legal matters, contact legal@kentral.io.