Security policy
We take the security of our users and our infrastructure seriously, and we welcome reports from independent security researchers acting in good faith. This policy describes how we receive, triage, and respond to vulnerability reports, and what we ask of researchers in return.
A machine-readable version of the contact information below is published at /.well-known/security.txt per RFC 9116.
1. Our commitment
We are committed to :
- providing a clear, monitored channel for vulnerability reports ;
- acknowledging incoming reports promptly and treating them with care ;
- coordinating disclosure timelines transparently ;
- not taking legal action against researchers who comply with this policy ;
- crediting researchers in our Hall of Fame (when desired).
2. Scope
In scope :
- The satooB platform —
satoob.comand any subdomain operated by Konatamo LLC, including the public marketing site, the dashboards, the merchant cashier portal, the in-store kiosk surfaces, and the public landing pages for vouchers, cashback, and quests. - The satooB public APIs and webhooks documented under
/api/*and the equivalent server actions exposed via the platform. - Source-code repositories under the Konatamo organisation on GitHub (
satooband any other public repositories, when published).
Out of scope :
- Third-party services we depend on but do not control (Vercel, Supabase, Stripe, Cloudflare, Resend, PostHog, Mercury Bank, Hostinger, Google Workspace). Please report vulnerabilities in those services directly to the providers' own security teams.
- Volumetric attacks (denial of service, distributed denial of service, layer-7 flooding).
- Social engineering of Konatamo LLC personnel, partners, or customers.
- Physical attacks on our offices or our suppliers' facilities.
- Reports of missing security headers, missing rate limits, or missing TLS configurations that have no exploitable impact on user data, account integrity, or platform availability.
3. How to report
Please email security@satoob.com with :
- A clear description of the vulnerability, including the affected endpoint or component.
- Steps to reproduce — concrete, minimal proof-of-concept where possible.
- The impact you assess (confidentiality / integrity / availability) and a suggested severity (Critical / High / Medium / Low).
- Your contact details, and any handle you would like us to use if we credit you in the Hall of Fame.
A future PGP key for encrypted reports may be published at /.well-known/pgp-key.txt ; until then, please consider not including raw exploit details in unencrypted email.
4. Our response
When we receive a report :
- Within five (5) business days — we acknowledge receipt of your report.
- Within fifteen (15) business days — we provide an initial triage, including a preliminary severity assessment and any clarifying questions.
- Within ninety (90) days — we aim to resolve the vulnerability, deploy the fix, and confirm with you that the issue is closed. Where the fix requires more time (third-party dependencies, non-trivial architectural change), we will keep you informed of progress.
5. Safe harbor
Konatamo LLC will not pursue or support legal action against you for security research conducted in good faith and in accordance with this policy, including (without limitation) :
- Accessing only systems within scope and only the minimum data required to demonstrate the vulnerability.
- Avoiding any action that would impact other users (e.g. denial-of-service testing in production, privilege escalation that pivots into unrelated tenants, exfiltration of more data than required to prove the issue).
- Refraining from public disclosure of the vulnerability before we have had a reasonable opportunity to remediate.
- Returning, destroying, or refraining from disclosing any data accessed during the research.
If you are unsure whether a given testing approach falls within the safe harbor, please contact us at security@satoob.com before proceeding.
6. Bug bounty
We do not currently operate a paid bug-bounty programme. We may consider one in the future ; in the meantime :
- Acknowledgment — meaningful reports may be credited in our Hall of Fame (Section 7) at the researcher's request.
- Swag and credits — where a report leads to a meaningful platform improvement, we may at our discretion offer Konatamo-branded swag, satoPOINTS credits, or a public letter of recognition.
- Coordinated disclosure — we are happy to co-author a disclosure write-up with the researcher once a fix has been deployed.
7. Hall of Fame
We maintain this section to publicly recognise researchers whose responsible disclosures have improved the security of the satooB platform. The list below is currently empty — we look forward to crediting you soon.
8. Contact
- Security disclosures — security@satoob.com
- Legal escalation — legal@konatamo.com
Postal address (for legal service of process) : Konatamo LLC, 1209 Mountain Road Pl NE, Ste R, Albuquerque, NM 87110, USA.