Kolega.dev is an AI-powered security vulnerability detection and automated code remediation engine that applies semantic code intelligence to detect and fix complex vulnerabilities in your codebase.

What types of vulnerabilities can Kolega.dev detect?

Kolega.dev can detect a wide range of vulnerabilities including SQL injection, XSS, CORS misconfigurations, race conditions, authentication flaws, and complex logic vulnerabilities that standard SAST tools miss.

How does Kolega.dev differ from traditional SAST tools?

Kolega.dev uses deep semantic analysis and AI to understand code intent and logic flow, not just pattern matching. It provides 0% overlap with standard SAST scanners and can detect complex vulnerabilities across service boundaries.

Responsible Disclosure Policy

Last Updated: December 15, 2025

Scope: Open source repositories only

Our Commitment

Kolega.Dev scans open source repositories to identify security vulnerabilities and help maintainers fix them before they can be exploited. We believe in responsible disclosure that protects users while respecting maintainers.

This policy outlines how we handle the discovery and reporting of security vulnerabilities in open source projects. Our goal is to work collaboratively with the open source community to improve security for everyone.

Disclosure Timeline

Respecting Repository Policies

If a repository has a SECURITY.md file with a defined disclosure policy, we follow their timeline unless it exceeds 5 working days
If their policy exceeds 5 working days, we use our standard timeline below

Standard Disclosure Process

For all severity levels:

Working Day 0: Immediate private disclosure to repository maintainers
Working Day 4: Follow-up through additional communication channels if no response received
Working Day 6: SLA exceeded - Public disclosure and remediation PR if no response or fix available

How We Report

We will contact maintainers through the following channels, in order of preference:

GitHub Private Vulnerability Reporting (if enabled)
Security email listed in SECURITY.md
Repository maintainer email
GitHub issues (marked private/security where available)

What We Include in Reports

Each vulnerability report contains:

Vulnerability description and type
Affected versions
Steps to reproduce
Potential impact
CVSS severity score
CWE/CVE references where applicable
Recommended fix (when possible)
Our disclosure deadline

Public Disclosure

After the disclosure timeline expires without resolution, we will:

Publish a security advisory with technical details
Submit a pull request with a proposed fix
Notify relevant security databases (CVE, etc.)
Update our platform to alert users of affected repositories

What We Will NOT Do

In conducting our security research, we commit to the following restrictions:

Exploit vulnerabilities for any purpose other than verification
Access, modify, or delete user data
Disrupt repository operations
Share vulnerability details with anyone except the maintainers before disclosure
Disclose vulnerabilities that are already public

Safe Harbor

We conduct our security research in good faith to improve open source security. We request that maintainers:

Not pursue legal action against Kolega for good-faith security research
Work with us collaboratively to address findings
Notify us if we inadvertently cause any disruption

Exceptions & Extensions

We may grant timeline extensions for:

Complex fixes requiring architectural changes
Coordination with multiple dependencies
Documented maintainer circumstances (vacation, emergency, etc.)

To request an extension, please respond to our initial disclosure within 7 working days with details about the circumstances requiring additional time.

Scope Limitations

Important:

This policy applies only to open source repositories. We do not scan private repositories or proprietary software without explicit authorization from the repository owner.

Contact Information

If you're a maintainer with questions about our policy or a reported vulnerability:

Email: security@kolega.ai

Subject line: “Disclosure Policy - [Repository Name]”

For general inquiries about Kolega.Dev or our services, please contact us at contact@kolega.ai