Vulnerability Disclosure Guideline
Kry International AB ("Kry") values the security of our systems and the protection of our users' data. We recognize the important role that independent security researchers play in internet security and welcome their contributions to improving the security of our digital healthcare services.
This Vulnerability Disclosure Guideline outlines how security researchers can responsibly report potential security vulnerabilities in Kry's systems, applications, and infrastructure. We are committed to working with the security community to verify, reproduce, and respond to legitimate vulnerability reports.
Scope
This guideline applies to all Kry systems, applications, and infrastructure, including but not limited to:
Kry mobile applications (iOS and Android)
Livi mobile applications and web platforms
Web applications and portals (Kry.se, Kry.no, Livi.co.uk, Livi.fr , and associated domains)
APIs and backend infrastructure supporting our services
Third-party services integrated with Kry systems where Kry maintains control
How to Report a Vulnerability
If you believe you have discovered a security vulnerability in any Kry system, please report it to us through one of the following channels:
Primary Reporting Channel Email:
Alternative Secure Channel For highly sensitive disclosures, you may use our PGP-encrypted email:
PGP Key(Public): Download our pgp key from the pgp keystore.
Visit keys.openpgp.org
Search for security@kry.se
Download our pgp key
Encrypt the file containing the findings with the downloaded key.
Send as an email attachment to security@kry.se
What to Include in Your Report
To help us understand and address the vulnerability quickly, please include the following information in your report:
A detailed description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the vulnerability
The type of vulnerability (e.g., SQL injection, cross-site scripting, authentication bypass)
The affected system, application, or URL
Any proof-of-concept code, screenshots, or evidence (please do not include actual user data)
Your contact information for follow-up questions
Any suggested remediation steps (optional)
Safe Harbor
Kry is committed to protecting security researchers who act in good faith. We will not pursue legal action against individuals who:
Report vulnerabilities in accordance with this guideline
Make a good faith effort to avoid privacy violations, data destruction, and service disruption
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Do not access, modify, or delete data belonging to others
Responsible Disclosure Guidelines
To maintain the security of our users and systems, we ask that you:
Report vulnerabilities as soon as possible after discovery
Provide us with reasonable time to investigate and address the vulnerability before public disclosure (we aim to respond to initial reports within 5 business days)
Do not publicly disclose the vulnerability until we have had sufficient time to remediate it
Avoid accessing, downloading, or modifying user data or Kry's data
Do not perform any testing that could degrade or disrupt Kry services
Act in good faith to avoid violating privacy and disrupting services
Out of Scope
The following issues are typically considered out of scope:
Social engineering attacks (including phishing)
Physical attacks against Kry offices, data centers, or employees
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
Spam or social media account takeovers
Previously reported vulnerabilities or issues already known to Kry
Vulnerabilities in third-party services not directly controlled by Kry
Issues that require unlikely user interaction or compromise of a user's device
Our Commitment
When you report a vulnerability to us, you can expect the following:
Acknowledgment of receipt within 5 business days
Regular updates on the status of your report (at minimum, every 10 business days)
Validation and assessment of the reported vulnerability
Remediation within a timeframe appropriate to the severity of the vulnerability
Recognition of your contribution (with your permission) after the vulnerability is resolved
Transparent communication throughout the process
Expected Response
Timeline We aim to adhere to the following timeline for vulnerability management:
Stage | Timeframe |
|---|---|
Initial acknowledgment | Within 2 business days of receipt |
Validation | Within 15 business days of initial acknowledgment |
Critical Fixes | Depends on Kry’s Internal Vulnerability Management timeline. |
High Severity Fixes | Depends on Kry’s Internal Vulnerability Management timeline. |
Medium/Low Severity | Depends on Kry’s Internal Vulnerability Management timeline. |
These timelines may be adjusted based on the complexity of the vulnerability and the availability of resources. We will communicate any expected delays promptly.
Recognition and Reward
We do not currently operate a reward-based bug bounty/disclosure program.
However, with your permission, we will acknowledge security researchers who report valid vulnerabilities.
Legal and Compliance Considerations
This vulnerability disclosure program is aligned with:
ISO/IEC 27001:2022 Information Security Management requirements
NIS2 Directive (EU) 2022/2555 on cybersecurity incident reporting and vulnerability management
GDPR requirements for data protection and privacy
National cybersecurity regulations in Sweden, UK, France, and other jurisdictions where we operate Please note that accessing patient health information or personally identifiable information without authorization is strictly prohibited and may be subject to legal action, even in the context of security research.
Questions
If you have questions about this vulnerability disclosure guideline or the reporting process, please contact us at security@kry.se
Last Updated: February 2026