Knowyu App Under Pressure: High-Severity ISO Finding H-5 Exposes Lack of Vulnerability Disclosure Policy

A critical security governance gap has been flagged within Knowyu, with a high-severity ISO finding (H-5) demanding the immediate creation of a formal vulnerability disclosure policy. The absence of this foundational security framework leaves the organization exposed, lacking a clear, legal, and safe channel for external researchers to report security flaws. This is not a theoretical bug but a systemic procedural failure that undermines the entire security posture and trust model of the application.

The finding, owned directly by CTO Deb, outlines a concrete six-point action plan to close this gap. Core tasks include drafting the policy itself, establishing a dedicated security contact email ([email protected]), and publishing standard security files like a `security.txt` and a `SECURITY.md` in the GitHub repository. Critically, the plan mandates defining a responsible disclosure timeline—proposed at 90 days—and securing a legal review of the final policy. This structured response indicates the finding's seriousness and the potential legal and reputational risks of inaction.

Failure to implement this policy creates significant operational and strategic risk. Without it, Knowyu risks alienating the security research community, potentially leading to public disclosure of vulnerabilities without warning. It also signals to partners and users a lack of mature security governance, which can impact compliance efforts and commercial trust. The direct assignment to the CTO underscores that this is a top-tier governance issue requiring executive oversight to resolve.