Kratos Public Vulnerability Disclosure Policy

Purpose

This policy aims to provide clear guidelines for anyone wishing to disclose potential vulnerabilities found within the systems, networks, products or services of Kratos Technology & Training Solutions, Inc., including its subsidiaries and affiliates listed below (collectively, Kratos).

Scope

This policy applies to any individual or entity intending to disclose potential vulnerabilities discovered within the products, services and digital infrastructure owned, operated, or maintained by Kratos.

Guidelines for Responsible Disclosure

Discovery & Reporting

Report vulnerabilities via our designated reporting channel form on the Kratos website.

Provide us with sufficient information that allows us to understand, reproduce, and validate the vulnerability. Your report should include your contact information for further communication.

Non-Disclosure

Once a vulnerability has been reported, it should not be disclosed publicly or to third parties until we have had reasonable time to address it.

No Exploitation

The discovery and reporting of a vulnerability should not involve the exploitation of the vulnerability beyond what is necessary to identify it.

No Interruption of Service

Vulnerability discovery should not lead to the interruption of our digital services or destruction of data.

Our Commitment

Verification

Kratos commits to acknowledging receipt of reported vulnerabilities within two business days.

We will verify the reported vulnerability and assess its potential impact and risk to our systems.

Remediation

Our team will make every reasonable effort to address validated vulnerabilities in a timely manner, according to their severity.

Communication

Kratos will keep the reporting individual or entity informed of progress in addressing the vulnerability.

Recognition/No Award

After a reported vulnerability has been successfully addressed, and upon request of the reporting party, Kratos will publicly acknowledge the responsible party for the disclosure. Kratos does not, however, offer financial compensation for discoveries or bug bounties.

Legal Considerations

Safe Harbor

If you follow these guidelines for responsible disclosure, Kratos commits to not pursuing legal actions related to the discovery and reporting of the vulnerability. This policy is a statement of intent by Kratos and should not be viewed as a contract or a waiver of any rights.

Subsidiaries and Affiliates

  • Kratos Communications, Inc.
  • Kratos Antenna Solutions, Inc.
  • Kratos S1, Inc. f/k/a Kratos RT Logic
  • Kratos S2, Inc. f/k/a Cosmic AES

Report a Vulnerability

This form is blocked by a browser extension.