Bug Bounty Program

Terms and Scope of the Program

1. These Terms set the basis for implementing the Responsible Disclosure principle and establish a framework for cooperation and communication between independent researchers and Kevin EU, UAB (the “Company”). Please read the full Terms and Conditions.

2. Participation in our Program (the “Program”) is voluntary.

3. Participation in the Program is open for all natural persons (not for companies) who individually do cyber security research and have no intention to cause harm to the owner of the resource (Company) that they are researching. Individuals who participate in a Program are hereinafter named Researchers.

4. The Researcher shall agree with the Terms and Conditions before researching and submitting the findings to the Company. By submitting a report, the Researcher acknowledges that they act within a frame of the Program and comply with the Terms and Conditions.

5. These Terms do not supplement the other terms or agreements which Researcher might have entered with the Company.

6. The Company runs several internet-faced systems by utilising several internet domain names. The scope of the Program includes any service run by *.kevin.eu and *.getkevin.eu.

Reporting of vulnerability

7. If Researchers think they have found a security vulnerability in any resource of the Company, the report shall be sent by email to security@kevin.eu. The Researcher shall include a description of the probable impact and a detailed way to reproduce the visibility of the bug in software or systems misconfiguration.

8. The Company will investigate all legitimate reports and reach back to the Researcher with the initial assessment as soon as possible, but no later than within ten working days after the report is received. The Company will work with the Researcher to fix issues as quickly as possible.

9. Because Company utilises many security controls and preventive security measures in various layers of its infrastructure, the Company reserves the right to make its sole decision on the level of the impact of the reported vulnerability and on a reward that might be given to the Researcher.

Services in scope

10. Security of funds, sensitive information and availability of services are the highest priority to the Company. To encourage responsible disclosure, we will not pursue legal actions against the Researchers who point out the problem provided they follow principles of responsible disclosure which include, but are not limited to:

• Access, disclose or modify your client data if you are a client of the Company;
• Do not perform any attack that could harm the reliability or integrity of our services or data;
• Avoid scanning techniques that are likely to cause degradation of service to the Company’s clients (DoS, spamming, brute force);
• Always keep details of vulnerabilities secret until the Company has been notified and fixed the issue;
• Do not attempt to gain access to another client’s account or data if you have already found a flaw. In researching vulnerabilities, you must not be engaged in the following:
  • Results in degradation of Company systems;
  • Results in you, or any third party, accessing, storing, sharing or destroying data of Company or clients;
  • Activities that may impact Company clients include DoS, social engineering, spam, etc.

We may ban your IP or take necessary legal measures if you do not respect fair and benevolent research principles or exceed the frame of allowed actions within the Program.

We ask you to be available to follow along and provide further information on the bug and invite you to work together with the Company security team in reproducing, diagnosing, and fixing the bug. We use the following guidelines to determine the eligibility of reports and the amount of reward.

Eligibility

To be eligible for the Program, you must:

• Be NOT in violation of any national, state, or local law or regulation;
• Be NOT an immediate family member of a person employed by the Company or its subsidiaries or affiliates;
• Be NOT less than 14 years of age. If you are at least 14 years old but are considered a minor in your place of residence, you must get permission signed by your parents or legal guardians before participating in the program.

If the Company discovers that you do not meet any of the criteria above, the Company will remove you from the Program and disqualify you from receiving any rewards.

Amount of Reward

More severe bugs will lead to greater rewards. Any bug that has the potential for financial loss or data breach is sufficiently severe.

In general, vulnerabilities that may be rewarded less are those that do not cause one or several of the following results:

• Partial/complete loss of funds;
• User information leak;
• Loss of accuracy of exchange data.

To receive bounty:

• Security bugs must be original and previously unreported;
• Security bug must be a remote exploit, cause a privilege escalation, or an information leak.

If two or more people report the bug together within 24 hours, the reward will be divided among them.

Here are some examples of how to receive a higher reward:

• The Researcher can demonstrate new attacks or techniques for bypassing security features. The Researcher could earn additional compensation if an existing vulnerability is exploitable through another research by the Reporter;
• Research might also uncover extremely severe, complex, or previously unknown problems.

Reward payments, if any, will be determined by the Company, at the Company’s sole discretion. In no event shall the Company be obligated to pay you a bounty for any Submission. All bounty payments are only in euros. The reward may also be transferred to the Red Cross or UNICEF international organisations if the Researcher wishes.

The Company does not pay rewards in cryptocurrencies or other payment systems, not mentioned in the Terms and Conditions.

In determining the pay-out amount, the Company will consider the level of risk and impact of the vulnerability.

Examples of Vulnerabilities

Examples of Qualifying Vulnerabilities

The Company reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.

• Authentication bypass or privilege escalation;
• Clickjacking;
• Cross-site scripting (XSS);
• Cross-site request forgery (CSRF/XSRF);
• Mixed-content scripts;
• Server-side code execution;
• User data breach;
• Remote Code Execution.

Examples of Non-Qualifying Vulnerabilities

Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from the Company:

• Denial of Service vulnerabilities (DoS);
• Possibilities to send malicious links to people you know;
• Security bugs in third-party websites that integrate with Company API;
• Vulnerabilities related to third-party software (e.g. Java, plugins, extensions) or websites unless they lead to vulnerability on the Company website;
• Spam (including issues related to SPF/DKIM/DMARC);
• Usability issues, forms autocomplete;
• Insecure settings in non-sensitive cookies;
• Browser Cache vulnerabilities;
• Vulnerabilities (including XSS) require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves susceptible;
• Non-technical attacks including social engineering, phishing or physical attacks against our employees, users or infrastructure;
• Vulnerabilities (including XSS) that affect only legacy browser/plugins or outdated protocols like TLS 1.0;
• Self-XSS;
• CSRF for non-significant actions (logout, etc.);
• Clickjacking attacks without a documented series of clicks that produce a vulnerability;
• Content injection, such as reflected text or HTML tags;
• Missing HTTP headers, except where their absence fails to mitigate an existing attack;
• Authentication bypasses that require access to software/hardware tokens;
• Vulnerabilities require access to passwords, tokens, or the local system (e.g. session fixation);
• Assumed vulnerabilities based upon software or hardware version numbers only;
• Bugs require exceedingly unlikely user interaction;
• Disclosure of public information and information that does not present significant risk;
• Scripting or other automation and brute forcing of intended functionality;
• Requests violate the same-origin policy without concrete attack scenarios (for example, when using CORS, cookies are not used to perform authentication, or sent with requests).

Required Information

For all submissions, please include:

• Full description of the vulnerability being reported, including the exploitability and impact;
• Documented all steps required to reproduce the exploit of the vulnerability;
• URL(s)/application(s) affected in the submission (even if you provided us with a code snippet/video as well);
• IPs that were used while testing;
• Always include all of the files that you attempted to upload;
• Provide the complete Proof of Concept for your submission;
• Please save all the attack logs and attach them to the submission.

Failure to include any of the above items may delay or jeopardise the reward payment.

The report must be sent to us by emailing security@kevin.eu unless you are advised to act differently.

We cannot issue rewards to individuals on sanctions lists or countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.