White Hat Bug Bounty Program
Kyup fully supports and values the security research community. As such, we encourage you to responsibly disclose security vulnerabilities after reviewing our responsible disclosure policy and bug bounty guidelines on this page.
To qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the security and/or integrity of Kyup services, infrastructure or user data, circumvent privacy protections, or enable unexpected/unauthorized access to systems within Kyup. Please note that bugs/security issues previously reported by another participant in the responsible disclosure policy/program will be honored only to the first person that discovered them.
2. Qualifying Bugs
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- SQL Injection Flaws
- Critical/Sensitive information disclosure flaws
- Authentication and session management Flaws (e.g. Kyup OAuth bugs)
- Circumvention of our Platform/Privacy permission models
- Remote Code Execution leading to compromise of the Kyup website/host nodes infrastructure. Please note that we will not cover bugs that exploit end-user applications running inside the infrastructure unless this exploit can further be elevated to local root exploit inside the containers or compromising the security model of the host node.
- Privilege Escalation. Please note that we will not cover bugs that exploit end user appications running inside the insolated environment.
- Exploiting Provisioning Errors that might lead to security compromise. Bugs that can not be used for security compromise are not eligible for bounty.
- Unauthorized/Unauthenticated Code Injection in the program normal/expected paths/flows.
Our security team will assess each bug to determine if it qualifies.
3. Non-qualifying Bugs
The following types of bugs are not eligible for a bounty:
- Security vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on a Kyup-hosted site.
- Security vulnerabilities in third party applications which use the Kyup API.
- Security vulnerabilities in third party plugins, libraries or tools that use the Kyup API.
- Non-critical information disclosure flaws.
- Denial of service (DoS).
- Social Engineering.
- Bugs affecting outdated or unpatched browsers.
- Bruteforce attacks.
- Our security team evaluates all reported bugs. The value of the bounty is based on a combination of the severity of the bug and creativity of the exploit. It may vary between $10 and $200 per bug.
- Receive payment by check (if U.S. citizen) or PayPal.
- Only 1 bounty per bug will be awarded on a first come first served basis.
- You must reside in a country not under any current U.S. Sanctions to qualify for a reward.
- If you believe you have found a vulnerability, do not share details about it with any third parties or the general public before it has been fixed and written permission is granted by Kyup to share those details with the public.
- You can only conduct testing on/from within accounts that you own or have permission from the owner to test on.
- Even if you believe you have found a security issue it is strictly prohibited to try to gain control of another user's account or data.
- SPAM and DDoS attacks are never permitted.
- Using of automated tools and vulnerability scanners against the Kyup infrastructure is strictly prohibited.
- Automated/manual password guessing (also known as "bruteforce attack") against login forms is not permitted.
- Using of non-technical techniques such as phishing and/or social engineering against employees or Kyup customers is strictly prohibited.
- Physical attacks against equipment, infrastructure, offices, and/or employees of Kyup and/or our partners are strictly forbidden.
- Failed to comply with these rules will be considered as criminal activity against the Kyup infrastructure and it will be prosecured according to the international laws for cyber crime fighting.
5. How To Report A Bug
If you believe you've discovered a security vulnerability in Kyup, you may responsibly disclose your find by sending an email to firstname.lastname@example.org. Please include the following details with your disclosure:
- Description of vulnerability and potential impact.
- Detailed description of steps taken to reproduce the bug or proof of concept.
- Name and/or link for (optional) attribution on this page.
We will review the bug and reply with details on eligibility for bounty and how to receive it.
Hall Of Fame
We are very grateful to the community of users and security researchers who have helped us improve our services and make them more secure.
- Juan Broullón Sampedro
- Rafael Pablos
- Sasi Levi
- Jaume Llopis
- Koutrouss Naddara
- Mohd Haji
- James Amos
- Kalpesh Makwana
- Ankit Bharathan Provensec llc
- Jakub Żoczek
- Muhammed Gazzaly
- Stan Schwertly
- Rob Ragan
- Allan Jay Dumanhug
- Frans Rosén
- Bhavesh Naik
- Akhil Reni
- Ranjeet Singh
- Dennis San Jose
- Krishna Chaitanya Kadaba
- Eusebiu Blindu
- Nitin Goplani
- Hamid Ashraf
- Yash Pandya
- David Sopas
- Hammad Qureshi
- Nikolay Tkachenko
- Manoj Kumar
- Ravikumar Paghdal
- Waqeeh Ul Hasan of BEL4SOLUTIONS
- Vishnu Vardhan Reddy (Vishnu_dfx)