Vulnerability Disclosure Program

If you believe you have found a potential security vulnerability in a Kong product or service, we encourage you to disclose your discovery to us as quickly as possible. Kong offers a Vulnerability Disclosure Program, also known as a bug bounty program, for reports of unique confirmed vulnerabilities.

Assigning Risk Rankings

Kong will review reported new security vulnerabilities and assign a risk ranking. Kong uses the NIST Common Vulnerability Scoring System (CVSS) v3.0 to assign a risk ranking. The risk rankings are scored as follows:

Reward Program Eligibility Guidelines

If you report a potential security vulnerability in a Kong product or service, please follow these guidelines to be eligible for a reward under Kong’s Vulnerability Disclosure Program:

• You will give us a reasonable time to investigate and mitigate the vulnerability before making public any information about the report or sharing the information with others.
• You will make a reasonable faith effort to avoid privacy violations and disruptions to others, including unauthorized access to or destruction of data and interruption or degradation of our products or services.
• You will not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further problems.
• You will not intentionally violate any other applicable laws or regulations, including rules and regulations prohibiting unauthorized access to data.
• Only target your accounts while investigating any bugs or findings. Do not attempt to access or disrupt other users' accounts.
• Do not target our physical security measures or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
• You must not proceed further if you find a severe vulnerability that allows system access.
• Do not disclose the suspected vulnerability to anyone other than Kong. Any threatening behavior will automatically disqualify you from participating in the program.
• Exploiting or misusing the vulnerability for your own or others’ benefit will automatically disqualify you from participating in the program.
• Bug disclosure communications with Kong's Security team are to remain confidential. After the bug report is closed, researchers should destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots).
• Please review the submission to ensure sufficient information was provided, including a demonstrated impact on the Kong product or service or our user base.

Out-of-Scope Vulnerabilities

• Social Engineering
• Lack of rate-limiting mechanisms
• Open redirects without a severe impact
• Application stack traces (path disclosures, etc.)
• Self-type Cross-Site Scripting / Self-XSS
• Vulnerabilities that require Man in the Middle (MiTM) attacks
• Denial of Service attacks
• CSRF issues on actions with minimal impact
• Cache Poisoning
• Clickjacking
• Incomplete or missing SPF/DMARC/DKIM records
• HSTS not enabled
• Brute force attacks
• Security practices (banner revealing a software version, missing security headers, etc.)
• Bugs that do not have security implications specific to Confidentiality or Integrity
• Vulnerabilities on sites hosted by third parties unless they lead to a weakness on the main website
• Vulnerabilities depend on physical attacks, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers/operating systems
• Bugs already are known to us or previously reported by someone else (reward goes to the first reporter)
• Issues that aren't reproducible

Rewards

We offer rewards for reports of confirmed, unique vulnerabilities as follows:

Please note that only the first report we receive about a given vulnerability will be rewarded. We cannot provide rewards where prohibited by law, including for reports originating from sanctioned countries.