Updated August, 30, 2022

Vulnerability Disclosure Program


If you believe you have found a potential security vulnerability in a Kong product or service,
we encourage you to disclose your discovery to us as quickly as possible. Kong offers a
Vulnerability Disclosure Program, also known as a bug bounty program, for reports of unique
confirmed vulnerabilities.

How to Report a Suspected Vulnerability

Please email vulnerability@konghq.com with information about the vulnerability and detailed steps to replicate it.

The report must concern an item under our In-Scope Vulnerabilities and In-Scope Endpoints, Systems, and Applications sections.

Please take note that we do not accept a theoretical attack as valid. For a report to be accepted, you must provide a non-malicious proof of concept.

The report should also contain as much information as possible—ideally, a description of your findings, the steps needed to reproduce them, and the vulnerable component.

If you need to share screenshots or videos, please upload them to Google Drive (or any other upload service) and provide us with the links to the files.

Assigning Risk Rankings

Kong will review reported new security vulnerabilities and assign a risk ranking. Kong uses the NIST Common Vulnerability Scoring System (CVSS) v3.0 to assign a risk ranking. The risk rankings are scored as follows:

SeverityCVSS 3.x Score
Critical9.0-10.0
High7.0-8.9
Medium4.0-6.9

Reward Program Eligibility Guidelines

If you report a potential security vulnerability in a Kong product or service, please follow these guidelines to be eligible for a reward under Kong's Vulnerability Disclosure Program:

  • You will give us a reasonable time to investigate and mitigate the vulnerability before making public any information about the report or sharing the information with others.
  • You will make a reasonable faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data and interruption or degradation of our products or services.
  • You will not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.
  • You will not intentionally violate any other applicable laws or regulations, including rules and regulations prohibiting unauthorized access to data.
  • Only target your accounts while investigating any bugs or findings. Do not attempt to access or disrupt other users' accounts.
  • Do not target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
  • You must not proceed further if you find a severe vulnerability that allows system access.
  • Do not disclose the suspected vulnerability to anyone other than Kong. Any threatening behavior will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify you from participating in the program.
  • Bug disclosure communications with Kong's Security team are to remain confidential. After the bug report is closed, researchers should destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots).
  • Please review the submission to ensure sufficient information was provided, including a demonstrated impact on the Kong product or service or our user base.

Reward Program Scope

In-Scope Endpoints, Systems, and Applications

Kong runs a number of services and provides but only submissions under the following domains are eligible for rewards. Any Kong-owned domains not listed below are not in scope, not eligible for rewards. This pertains to our Enterprise Software and not our Opensource.

Kong Enterprise Gateway

Kong Mesh

Insomnia

Kong Konnect

Kong Enterprise Gateway

Accordion List Here

Out-of-Scope Endpoints, Systems, and Applications

Non-Kong Plugins

Insomnia specific out-of-scope endpoint(s)

Kong Konnect specific out-of-scope endpoint(s)

Vulnerabilities

Generally speaking, any finding with a significant vulnerability could be eligible for a reward. It is entirely at Kong's discretion to decide whether a bug is significant enough to qualify for an award. Security issues that typically would be eligible (though not necessarily in all cases) include:

In-Scope Vulnerabilitiess

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Server-Side Request Forgery (SSRF)
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Administration portals without an authentication mechanism
  • Open redirects which allow stealing tokens/secrets

Out-of-Scope Vulnerabilities

  • Social Engineering
  • Lack of rate-limiting mechanisms
  • Open redirects without a severe impact
  • Application stack traces (path disclosures, etc.)
  • Self-type Cross-Site Scripting / Self-XSS
  • Vulnerabilities that require Man in the Middle (MiTM) attacks
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Cache Poisoning
  • Clickjacking
  • Incomplete or missing SPF/DMARC/DKIM records
  • HSTS not enabled
  • Brute force attacks
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Bugs that do not have security implications specific to Confidentiality or Integrity
  • Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
  • Vulnerabilities depend on physical attacks, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers/operating systems
  • Bugs already are known to us or previously reported by someone else (reward goes to the first reporter)
  • Issues that aren't reproducible

Rewards

We offer rewards for reports of confirmed, unique vulnerabilities as follows:
PriorityRewards
Critical1000 US Dollars via Amazon Gift Card or similar
High500 US Dollars via Amazon Gift Card or similar
Medium100 US Dollars via Amazon Gift Card or similar

Please note that only the first report we receive about a given vulnerability will be rewarded. We cannot provide rewards where prohibited by law, including for reports originating from sanctioned countries.

Questions?

If you have any questions about our Vulnerability Disclosure Program, please contact vulnerability@konghq.com.