1. These Terms set the basis for implementing the Responsible Disclosure principle and establish a framework for cooperation and communication between independent researchers and Kevin EU, UAB (the “Company”). Please read the full Terms and Conditions.
2. Participation in our Program (the “Program”) is voluntary.
3. Participation in the Program is open for all natural persons (not for companies) who individually do cyber security research and have no intention to cause harm to the owner of the resource (Company) that they are researching. Individuals who participate in a Program are hereinafter named Researchers.
4. The Researcher shall agree with the Terms and Conditions before researching and submitting the findings to the Company. By submitting a report, the Researcher acknowledges that they act within a frame of the Program and comply with the Terms and Conditions.
5. These Terms do not supplement the other terms or agreements which Researcher might have entered with the Company.
6. The Company runs several internet-faced systems by utilising several internet domain names. The scope of the Program includes any service run by *.kevin.eu and *.getkevin.eu.
7. If Researchers think they have found a security vulnerability in any resource of the Company, the report shall be sent by email to [email protected]. The Researcher shall include a description of the probable impact and a detailed way to reproduce the visibility of the bug in software or systems misconfiguration.
8. The Company will investigate all legitimate reports and reach back to the Researcher with the initial assessment as soon as possible, but no later than within ten working days after the report is received. The Company will work with the Researcher to fix issues as quickly as possible.
9. Because Company utilises many security controls and preventive security measures in various layers of its infrastructure, the Company reserves the right to make its sole decision on the level of the impact of the reported vulnerability and on a reward that might be given to the Researcher.
10. Security of funds, sensitive information and availability of services are the highest priority to the Company. To encourage responsible disclosure, we will not pursue legal actions against the Researchers who point out the problem provided they follow principles of responsible disclosure which include, but are not limited to:
We may ban your IP or take necessary legal measures if you do not respect fair and benevolent research principles or exceed the frame of allowed actions within the Program.
We ask you to be available to follow along and provide further information on the bug and invite you to work together with the Company security team in reproducing, diagnosing, and fixing the bug. We use the following guidelines to determine the eligibility of reports and the amount of reward.
To be eligible for the Program, you must:
If the Company discovers that you do not meet any of the criteria above, the Company will remove you from the Program and disqualify you from receiving any rewards.
More severe bugs will lead to greater rewards. Any bug that has the potential for financial loss or data breach is sufficiently severe.
In general, vulnerabilities that may be rewarded less are those that do not cause one or several of the following results:
To receive bounty:
If two or more people report the bug together within 24 hours, the reward will be divided among them.
Here are some examples of how to receive a higher reward:
Reward payments, if any, will be determined by the Company, at the Company’s sole discretion. In no event shall the Company be obligated to pay you a bounty for any Submission. All bounty payments are only in euros. The reward may also be transferred to the Red Cross or UNICEF international organisations if the Researcher wishes.
The Company does not pay rewards in cryptocurrencies or other payment systems, not mentioned in the Terms and Conditions.
In determining the pay-out amount, the Company will consider the level of risk and impact of the vulnerability.
The Company reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.
Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from the Company:
For all submissions, please include:
Failure to include any of the above items may delay or jeopardise the reward payment.
The report must be sent to us by emailing [email protected] unless you are advised to act differently.
We cannot issue rewards to individuals on sanctions lists or countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.