White Hat Bug Bounty Program

Kyup fully supports and values the security research community. As such, we encourage you to responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty guidelines on this page.

1. Eligibility

To qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the security and/or integrity of Kyup services, infrastructure or user data, circumvent privacy protections, or enable unexpected/unauthorized access to systems within Kyup. Please note that bugs/security issues previously reported by another participant in the responsible disclosure policy/program will be honored only to the first person that discovered them.

2. Qualifying Bugs

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • SQL Injection Flaws
  • Critical/Sensitive information disclosure flaws
  • Authentication and session management Flaws (e.g. Kyup OAuth bugs)
  • Circumvention of our Platform/Privacy permission models
  • Remote Code Execution leading to compromise of the Kyup website/host nodes infrastructure. Please note that we will not cover bugs that exploit end-user applications running inside the infrastructure unless this exploit can further be elevated to local root exploit inside the containers or compromising the security model of the host node.
  • Privilege Escalation. Please note that we will not cover bugs that exploit end user appications running inside the insolated environment.
  • Exploiting Provisioning Errors that might lead to security compromise. Bugs that can not be used for security compromise are not eligible for bounty.
  • Unauthorized/Unauthenticated Code Injection in the program normal/expected paths/flows.

Our security team will assess each bug to determine if it qualifies.

3. Non-qualifying Bugs

The following types of bugs are not eligible for a bounty:

  • Security vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on a Kyup-hosted site.
  • Security vulnerabilities in third party applications which use the Kyup API.
  • Security vulnerabilities in third party plugins, libraries or tools that use the Kyup API.
  • Non-critical information disclosure flaws.
  • Denial of service (DoS).
  • Spamming.
  • Social Engineering.
  • Bugs affecting outdated or unpatched browsers.
  • Bruteforce attacks.

4. Reward

Cash Reward Up To $200 USD
  • Our security team evaluates all reported bugs. The value of the bounty is based on a combination of the severity of the bug and creativity of the exploit. It may vary between $10 and $200 per bug.
  • Receive payment by check (if U.S. citizen) or PayPal.
  • Only 1 bounty per bug will be awarded on a first come first served basis.
  • You must reside in a country not under any current U.S. Sanctions to qualify for a reward.

Rules

  • If you believe you have found a vulnerability, do not share details about it with any third parties or the general public before it has been fixed and written permission is granted by Kyup to share those details with the public.
  • You can only conduct testing on/from within accounts that you own or have permission from the owner to test on.
  • Even if you believe you have found a security issue it is strictly prohibited to try to gain control of another user's account or data.
  • SPAM and DDoS attacks are never permitted.
  • Using of automated tools and vulnerability scanners against the Kyup infrastructure is strictly prohibited.
  • Automated/manual password guessing (also known as "bruteforce attack") against login forms is not permitted.
  • Using of non-technical techniques such as phishing and/or social engineering against employees or Kyup customers is strictly prohibited.
  • Physical attacks against equipment, infrastructure, offices, and/or employees of Kyup and/or our partners are strictly forbidden.
  • Failed to comply with these rules will be considered as criminal activity against the Kyup infrastructure and it will be prosecured according to the international laws for cyber crime fighting.

5. How To Report A Bug

If you believe you've discovered a security vulnerability in Kyup, you may responsibly disclose your find by sending an email to security@kyup.com. Please include the following details with your disclosure:

  • Description of vulnerability and potential impact.
  • Detailed description of steps taken to reproduce the bug or proof of concept.
  • Name and/or link for (optional) attribution on this page.

We will review the bug and reply with details on eligibility for bounty and how to receive it.

Hall Of Fame

We are very grateful to the community of users and security researchers who have helped us improve our services and make them more secure.

  1. Juan Broullón Sampedro
  2. Rafael Pablos
  3. Sasi Levi
  4. Jaume Llopis
  5. Koutrouss Naddara
  6. Mohd Haji
  7. James Amos
  8. Kalpesh Makwana
  9. Ankit Bharathan Provensec llc
  10. Jakub Żoczek
  11. Muhammed Gazzaly
  12. Stan Schwertly
  13. Rob Ragan
  14. Allan Jay Dumanhug
  15. Frans Rosén
  16. Bhavesh Naik
  17. Akhil Reni
  18. Ranjeet Singh
  19. Dennis San Jose
  20. Krishna Chaitanya Kadaba
  21. Eusebiu Blindu
  22. Nitin Goplani
  23. Hamid Ashraf
  24. Yash Pandya
  25. David Sopas
  26. Hammad Qureshi
  27. Nikolay Tkachenko
  28. Manoj Kumar
  29. Ravikumar Paghdal
  30. Waqeeh Ul Hasan of BEL4SOLUTIONS
  31. Vishnu Vardhan Reddy (Vishnu_dfx)