Vulnerability Disclosure Program
If you believe you have found a potential security vulnerability in a Kong product or service,
we encourage you to disclose your discovery to us as quickly as possible. Kong offers a
Vulnerability Disclosure Program, also known as a bug bounty program, for reports of unique
confirmed vulnerabilities.
How to Report a Suspected Vulnerability
Please email vulnerability@konghq.com with information about the vulnerability and detailed steps to replicate it.
The report must concern an item under our In-Scope Vulnerabilities and In-Scope Endpoints, Systems, and Applications sections.
Please take note that we do not accept a theoretical attack as valid. For a report to be accepted, you must provide a non-malicious proof of concept.
The report should also contain as much information as possible—ideally, a description of your findings, the steps needed to reproduce them, and the vulnerable component.
If you need to share screenshots or videos, please upload them to Google Drive (or any other upload service) and provide us with the links to the files.
Assigning Risk Rankings
Kong will review reported new security vulnerabilities and assign a risk ranking. Kong uses the NIST Common Vulnerability Scoring System (CVSS) v3.0 to assign a risk ranking. The risk rankings are scored as follows:
| Severity | CVSS 3.x Score |
|---|---|
| Critical | 9.0-10.0 |
| High | 7.0-8.9 |
| Medium | 4.0-6.9 |
Reward Program Eligibility Guidelines
If you report a potential security vulnerability in a Kong product or service, please follow these guidelines to be eligible for a reward under Kong's Vulnerability Disclosure Program:
- You will give us a reasonable time to investigate and mitigate the vulnerability before making public any information about the report or sharing the information with others.
- You will make a reasonable faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data and interruption or degradation of our products or services.
- You will not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.
- You will not intentionally violate any other applicable laws or regulations, including rules and regulations prohibiting unauthorized access to data.
- Only target your accounts while investigating any bugs or findings. Do not attempt to access or disrupt other users' accounts.
- Do not target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
- You must not proceed further if you find a severe vulnerability that allows system access.
- Do not disclose the suspected vulnerability to anyone other than Kong. Any threatening behavior will automatically disqualify you from participating in the program.
- Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify you from participating in the program.
- Bug disclosure communications with Kong's Security team are to remain confidential. After the bug report is closed, researchers should destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots).
- Please review the submission to ensure sufficient information was provided, including a demonstrated impact on the Kong product or service or our user base.
Reward Program Scope
In-Scope Endpoints, Systems, and Applications
Kong runs a number of services and provides but only submissions under the following domains are eligible for rewards. Any Kong-owned domains not listed below are not in scope, not eligible for rewards. This pertains to our Enterprise Software and not our Opensource.
Kong Enterprise Gateway
- Kong Gateway Install Options
Supported Versions (2.6.x to 3.x.x)
Commercial Off-the-Shelf (COTS) Software Testing - Kong Plugins (Kong Supported)
Kong Mesh
Insomnia
- Insomnia REST - Desktop API Design Editor and API Client
https://app.insomnia.rest/ - Insomnia Desktop Applications
Desktop Application Testing
Kong Konnect
- Website Testing
Konnect is an API lifecycle management platform designed from the ground up for the cloud native era and delivered as a service.
https://cloud.konghq.com - API Testing - US
https://us.api.konghq.com - API Testing - EU
https://eu.api.konghq.com
Kong Enterprise Gateway
Out-of-Scope Endpoints, Systems, and Applications
- Kong Inc Marketing Site
https://konghq.com/ - Kuma Marketing Site
https://kuma.io/ - Vulnerabilities on sites hosted by third parties unless they lead to weaknesses on any scoped endpoint
Non-Kong Plugins
Insomnia specific out-of-scope endpoint(s)
Kong Konnect specific out-of-scope endpoint(s)
Vulnerabilities
In-Scope Vulnerabilitiess
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injections
- Server-Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Administration portals without an authentication mechanism
- Open redirects which allow stealing tokens/secrets
Out-of-Scope Vulnerabilities
- Social Engineering
- Lack of rate-limiting mechanisms
- Open redirects without a severe impact
- Application stack traces (path disclosures, etc.)
- Self-type Cross-Site Scripting / Self-XSS
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Denial of Service attacks
- CSRF issues on actions with minimal impact
- Cache Poisoning
- Clickjacking
- Incomplete or missing SPF/DMARC/DKIM records
- HSTS not enabled
- Brute force attacks
- Security practices (banner revealing a software version, missing security headers, etc.)
- Bugs that do not have security implications specific to Confidentiality or Integrity
- Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
- Vulnerabilities depend on physical attacks, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers/operating systems
- Bugs already are known to us or previously reported by someone else (reward goes to the first reporter)
- Issues that aren't reproducible
Rewards
| Priority | Rewards |
|---|---|
| Critical | 1000 US Dollars via Amazon Gift Card or similar |
| High | 500 US Dollars via Amazon Gift Card or similar |
| Medium | 100 US Dollars via Amazon Gift Card or similar |
Please note that only the first report we receive about a given vulnerability will be rewarded. We cannot provide rewards where prohibited by law, including for reports originating from sanctioned countries.