Report Security Issues

Last updated: June 2026

At Kutogo, we take security seriously. We protect our customers' data, payments, and accounts with industry-standard tools — but no system is ever bulletproof. If you've spotted a vulnerability, suspicious activity, or anything that looks like a security risk on kutogo.com, we want to hear about it. This page explains how to report security issues responsibly and what happens next.

What to Report

We welcome reports about anything that could affect the security of our website, customer data, or payment systems, such as:

• Website vulnerabilities — bugs, exploits, or weaknesses in our code
• Account issues — suspicious logins, unauthorized access, or hijacked accounts
• Payment fraud — unauthorized charges or suspicious billing activity
• Phishing attempts — fake emails or websites pretending to be Kutogo
• Data exposure — leaked customer info, passwords, or private data
• Malware or scams — suspicious links, downloads, or fraudulent ads claiming to be from us
• Social engineering — anyone impersonating Kutogo staff or customers

Not sure whether something counts? Report it anyway. We'd rather get a false alarm than miss a real threat.

How to Report

Email us directly at contact@kutogo.com. The more detail you include, the faster we can act:

• A clear description of the issue
• Where you found it (URL, page, account section, etc.)
• Steps to reproduce it, if it's a website vulnerability
• Screenshots or screen recordings if you have them
• The date and time you discovered it
• Your contact info so we can follow up

Subject line tip: start your email with "SECURITY REPORT" so it gets flagged right away.

What NOT to Do

To keep everyone safe and stay within legal bounds, please do not:

• Publicly disclose the issue before we've had a chance to fix it
• Share the vulnerability with third parties or post it on forums
• Attempt to exploit the issue beyond what's needed to confirm it
• Access, modify, or download other users' data
• Run automated scans, brute-force attacks, or denial-of-service tests on our site
• Use the issue for personal gain, fraud, or extortion

Responsible disclosure protects our customers and gives us a fair chance to fix the problem.

What Happens After You Report

• Acknowledgment. We'll confirm we got your message within 2 business days.
• Investigation. Our team reviews and verifies the issue — usually 3–7 business days, depending on complexity.
• Resolution. Once confirmed, we work to fix the vulnerability as quickly as possible.
• Follow-up. We'll let you know when it's resolved and may credit you publicly (with your permission) for the discovery.

We don't currently run a paid bug bounty program, but we sincerely appreciate every responsible report and may offer recognition or thanks where appropriate.

If Your Account Has Been Compromised

If you think your Kutogo account has been accessed without your permission:

• Change your password immediately — on Kutogo and on any other site where you reuse it
• Email contact@kutogo.com with the subject line "ACCOUNT COMPROMISED"
• Include your order history details so we can verify your identity
• Check your bank statements for unauthorized charges and contact your bank if needed

We'll lock down your account, review recent activity, and help you recover access safely.

Phishing & Fake Kutogo Messages

Scammers sometimes pretend to be real businesses to steal data or money. Kutogo will never:

• Ask for your password by email, phone, or text
• Request your full credit card number outside our secure checkout
• Send links asking you to "verify" or "confirm" your account on a third-party site
• Demand payment in gift cards, cryptocurrency, or wire transfers
• Threaten to close your account unless you act immediately

If you get a suspicious message claiming to be from Kutogo, forward it to contact@kutogo.com and delete it. Don't click any links inside.

Our Commitment to Security

We use industry-standard security measures across our platform, including:

• SSL encryption on every page of kutogo.com
• PCI-compliant payment processing through trusted providers like Stripe and PayPal
• Encrypted password storage — we never keep passwords in plain text
• Regular security reviews to identify and patch potential issues
• Restricted internal access to customer data on a need-to-know basis

Legal Safe Harbor

If you report a security issue in good faith, follow this policy, and don't damage our systems or customers' data, we won't pursue legal action against you. We treat responsible reporters as partners, not adversaries. This safe harbor doesn't apply if you break the "What NOT to Do" rules above or violate federal or state laws while researching the issue.