Bug Bounty Program
Last Updated: 2024-03-28
Suspended from: 2024-07-01
Terms and Scope of the Program
The Bug Bounty Program (the “Program”) sets the basis for implementing the Responsible Disclosure principle and establishes a framework for cooperation and communication between independent cyber security freelance researchers and Kevin EU, UAB (the “Company”).
1. Participation in our Program is voluntary.
2. Participation in the Program is open to all natural persons (not for companies) who individually do cyber security research and have no intention to cause harm to the owner of the resource (Company) that they are researching. Individuals who participate in a Program are hereinafter named Researchers.
3. The Researcher shall agree with the full Terms and Conditions before researching and submitting the findings to the Company. By submitting a report, the Researcher acknowledges that they act within the frame of the Program and comply with the Terms and Conditions.
4. The Terms and Conditions do not supplement the other terms or agreements which the Researcher might have entered with the Company.
5. The Company runs several internet-faced systems by utilising several internet domain names. The scope of the Program includes any service run by *.kevin.eu and *.getkevin.eu.
Reporting of vulnerability
6. If Researchers think they have found a security vulnerability in any resource of the Company, the report shall be sent by email to security@kevin.eu. The Researcher shall include a description of the probable impact and a detailed way to reproduce the visibility of the bug in software or systems misconfiguration.
7. The Company will investigate all legitimate reports and reach back to the Researcher with the initial assessment as soon as possible, and make efforts to respond no later than within ten (10) working days after the report is received. The Company may not be able to respond to the Researcher who sent a report to other than the above-mentioned email address, the email content could not be considered as related to the Program, or does not represent the report as per requirements outlined in this Program or its Terms and Conditions.
8. Because the Company utilises many security controls and preventive security measures in various layers of its infrastructure, the Company reserves the right to make its sole decision on the level of the impact of the reported vulnerability and on a reward that might be given to the Researcher.
Services in scope
9. Security of client funds, sensitive information and availability of services are the highest priority to the Company. To encourage responsible disclosure, the Company will not pursue legal actions against the Researchers who point out the problem, provided they follow principles of responsible disclosure, which include but are not limited to:
- Access, disclose or modify your client data if you are a client of the Company;
- Do not perform any attack that could harm the reliability or integrity of the services or data of the Company;
- Avoid scanning techniques that are likely to cause degradation of service to the Company’s clients (DoS, spamming, brute force);
- Always keep details of vulnerabilities secret until the Company has given explicit permission to disclose it;
- Do not attempt to gain access to another client’s account or data if you have already found a flaw;
- If, during the research, access to confidential data is gained (such as client or customer data, personal data, user’s actions logs, real credentials, etc.), the Researcher must protect it from disclosure and not share or use it in any way other than when communicating with the Company. It is prohibited to disclose, in a media, anonymously, publicly or within close communities, or to any other persons, or sell gained data, regardless of the phase of the research (such as initial probing, proof of the concept development, reporting (or not) to the Company) or after closure of the case regardless of the outcome of the research, or Company’s decision to accept or reject the report, or later). Gained confidential data must be unrecoverably destroyed by the Researcher immediately when it is not required anymore to prove the vulnerability existing.
- In researching vulnerabilities, the Researcher must not be engaged in the following:
- Results in degradation of Company systems;
- Results in you, or any third party, accessing, storing, sharing or destroying data of Company or clients;
- Activities that may impact Company clients and customers, as well as the Company’s personnel, including DoS, social engineering, spam, etc.
10. The Company may ban the Researcher’s IP address or take necessary legal actions if the Researcher does not respect fair and benevolent research principles or exceed the frame of allowed actions within the Program.
11. We ask the Researcher to be available to follow along and provide further information on the bug and invite to work together with the Company’s security team in reproducing, diagnosing, and fixing the bug. The Company uses the following guidelines to determine the eligibility of reports and the amount of reward.
Eligibility
12. To be eligible for the Program, the Researcher must:
- Be NOT in violation of any national, state, or local law or regulation;
- Be NOT an immediate family member of a person employed by the Company or its subsidiaries or affiliates;
- Be NOT less than 14 (fourteen) years of age. If the Researcher is at least 14 (fourteen) years old but is considered a minor in place of residence, the Researcher must get permission signed by parents or legal guardians before participating in the Program.
13. There may be additional restrictions on the Researcher’s ability to enter the Program depending on their local law.
14. If the Company discovers that the Researcher does not meet any of the criteria above, the Company will remove the Researcher from the Program and disqualify from receiving any rewards.
Reward
15. The Company does not set a fixed reward amount for reported vulnerabilities, as their severity and threat level are subjective matters. In validation of the Researcher’s report or when determining the payout amount, the Company will consider the level of risk and the possible impact of the reported vulnerability. It means the Company holistically assess the reports taking into account the specifics of its infrastructure, the countermeasures and workarounds already implemented, the scale and the volume of probable effect and the significance of the loss the vulnerability may cause when exploited. Therefore, the reported system’s behaviour, software bug, vulnerability or misconfiguration may not pose a threat to the Company's information systems and information. However, discovering more severe bugs will lead to greater rewards. Any bug that has the potential for financial loss or data breach is sufficiently severe.
16. Potentially rewardable findings must be original and previously unreported security bugs that are remotely exploitable and causing a privilege escalation or an information leak.
17. Vulnerabilities that may be rewarded less are those that do not cause one or several of the following results:
- Partial/complete loss of funds;
- User information leak;
- Loss of accuracy of exchange data.
18. If two or more people report the bug together within 24 hours, the reward will be divided among them.
19. Reward amount, if any, will be determined by the Company at the Company’s sole discretion. In no event shall the Company be obligated to pay a bounty for any submission. All bounty payouts are only in euros and processed through PayPal to the Researcher’s Paypal account only. The reward may also be transferred to the Red Cross or UNICEF international organisations if the Researcher wishes.
20. The Company does not pay rewards in cryptocurrencies or other payment systems, not mentioned in the Terms and Conditions.
21. The Company cannot issue rewards to individuals on sanctions lists or countries on sanctions lists. The Researcher is responsible for any tax implications depending on the Researcher’s country of residency and citizenship.
Qualified Vulnerabilities
22. The Company reserves the right to decide if the minimum severity qualification threshold is met and whether the vulnerability was already reported. Below is a list of examples of qualified vulnerabilities:
- Authentication bypass or privilege escalation;
- Full account takeover;
- Website defacement;
- Cross-site scripting (XSS);
- Cross-site request forgery (CSRF/XSRF);
- Mixed-content scripts;
- Server-side code execution;
- User data breach;
- Remote Code Execution.
Non-Qualified Vulnerabilities
23. Reporting the following vulnerabilities is appreciated but will not potentially lead to a reward from the Company:
- Denial of Service vulnerabilities (DoS);
- Possibilities to send malicious links to people you know;
- Security bugs in third-party websites that integrate with Company API;
- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, browser extensions) or websites unless they lead to vulnerability on the Company website;
- Spam (including issues related to SPF/DKIM/DMARC);
- Usability issues, forms autocomplete;
- Insecure settings in non-sensitive cookies;
- Browser Cache vulnerabilities;
- Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves susceptible;
- Non-technical attacks, including social engineering, phishing or physical attacks against our employees, system users or infrastructure;
- Vulnerabilities (including XSS) that affect only legacy browsers/plugins or outdated protocols like TLS 1.0;
- Self-XSS;
- CSRF for non-significant actions (logout, etc.);
- Clickjacking attacks without a documented series of clicks that produce a vulnerability;
- Content spoofing and text injection issues without security impact;
- Missing HTTP headers, except where their absence fails to mitigate an existing attack;
- Authentication bypasses that require access to software/hardware tokens;
- Vulnerabilities that require access to passwords, tokens, or the local system (e.g., session fixation);
- Assumed vulnerabilities based upon software or hardware version numbers only;
- Bugs that require exceedingly unlikely user interaction;
- Disclosure of public information and information that does not present significant risk;
- Scripting or other automation and brute forcing of intended functionality;
- Requests violating the same-origin policy without concrete attack scenarios (for example, when using CORS, cookies are not used to perform authentication or sent with requests);
- Session handling limitations of using client-side session tokens (e.g., the short-lived access tokens cannot be invalidated before their expiration time);
- Rate limiting issues without a clear security impact;
- Attacks requiring man-in-the-middle (MITM) or physical access to a victim’s device;
- Attacks where malware (such as keyloggers) infiltration is necessary on a user device;
- Banner identification issues, version disclosure vulnerabilities;
- Leaked user credentials or similarly important data found on the dark web, web archives or elsewhere.
Required Information
24. For all submissions, the Researcher must include the following information:
- Full description of the vulnerability being reported, including the exploitability and impact;
- Documented all steps required to reproduce the exploit of the vulnerability;
- URL(s)/application(s) affected in the submission (even if you provided us with a code snippet/video as well);
- IPs that were used while testing;
- Files attempted to upload;
- Complete Proof of Concept (including video);
- Attack logs.
25. Inconsistent and inaccurate reports may delay the Company’s response time, prolong the analysis period, and impact decisions on rewards.
26. Unless the Researcher is advised to act differently, the report must be sent to the Company by emailing security@kevin.eu.