Updated August, 30, 2022

Vulnerability Disclosure Program

How to Report a Suspected Vulnerability

Please email vulnerability@konghq.com with information about the vulnerability and detailed steps to replicate it.

The report must concern an item under our In-Scope Vulnerabilities and In-Scope Endpoints, Systems, and Applications sections.

Please take note that we do not accept a theoretical attack as valid. For a report to be accepted, you must provide a non-malicious proof of concept.

The report should also contain as much information as possible—ideally, a description of your findings, the steps needed to reproduce them, and the vulnerable component.

If you need to share screenshots or videos, please upload them to Google Drive (or any other upload service) and provide us with the links to the files.

Assigning Risk Rankings

SeverityCVSS 3.x Score

Reward Program Eligibility Guidelines

Reward Program Scope

In-Scope Endpoints, Systems, and Applications

Kong Enterprise Gateway

Kong Mesh


Kong Konnect

Kong Enterprise Gateway

Accordion List Here

Out-of-Scope Endpoints, Systems, and Applications

Non-Kong Plugins

Insomnia specific out-of-scope endpoint(s)

Kong Konnect specific out-of-scope endpoint(s)


In-Scope Vulnerabilitiess

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Server-Side Request Forgery (SSRF)
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Administration portals without an authentication mechanism
  • Open redirects which allow stealing tokens/secrets

Out-of-Scope Vulnerabilities

  • Social Engineering
  • Lack of rate-limiting mechanisms
  • Open redirects without a severe impact
  • Application stack traces (path disclosures, etc.)
  • Self-type Cross-Site Scripting / Self-XSS
  • Vulnerabilities that require Man in the Middle (MiTM) attacks
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Cache Poisoning
  • Clickjacking
  • Incomplete or missing SPF/DMARC/DKIM records
  • HSTS not enabled
  • Brute force attacks
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Bugs that do not have security implications specific to Confidentiality or Integrity
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
  • Vulnerabilities depend on physical attacks, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers/operating systems
  • Bugs already are known to us or previously reported by someone else (reward goes to the first reporter)
  • Issues that aren't reproducible


Critical1000 US Dollars via Amazon Gift Card or similar
High500 US Dollars via Amazon Gift Card or similar
Medium100 US Dollars via Amazon Gift Card or similar

Please note that only the first report we receive about a given vulnerability will be rewarded. We cannot provide rewards where prohibited by law, including for reports originating from sanctioned countries.