See what makes Kong the fastest, most-adopted API gateway
Check out the latest Kong feature releases and updates
Single platform for SaaS end-to-end connectivity
Enterprise service mesh based on Kuma and Envoy
Collaborative API design platform
API and Microservices Security for Gateways, Service Mesh, and Beyond
Call for speakers & sponsors, Kong API Summit 2023!
If you believe you have found a potential security vulnerability in a Kong product or service, we encourage you to disclose your discovery to us as quickly as possible. Kong offers a Vulnerability Disclosure Program, also known as a bug bounty program, for reports of unique confirmed vulnerabilities.
Please email vulnerability@konghq.com with information about the vulnerability and detailed steps to replicate it.
The report must concern an item under our In-Scope Vulnerabilities and In-Scope Endpoints, Systems, and Applications sections.
Please take note that we do not accept a theoretical attack as valid. For a report to be accepted, you must provide a non-malicious proof of concept.
The report should also contain as much information as possible—ideally, a description of your findings, the steps needed to reproduce them, and the vulnerable component.
If you need to share screenshots or videos, please upload them to Google Drive (or any other upload service) and provide us with the links to the files.
Kong will review reported new security vulnerabilities and assign a risk ranking. Kong uses the NIST Common Vulnerability Scoring System (CVSS) v3.0 to assign a risk ranking. The risk rankings are scored as follows:
Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc.
Vulnerabilities that affect the security of the software and impact the processes it supports.
Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
If you report a potential security vulnerability in a Kong product or service, please follow these guidelines to be eligible for a reward under Kong’s Vulnerability Disclosure Program:
Kong runs a number of services and provides but only submissions under the following domains are eligible for rewards. Any Kong-owned domains not listed below are not in scope, not eligible for rewards. This pertains to our Enterprise Software and not our Opensource.
Generally speaking, any finding with a significant vulnerability could be eligible for a reward. It is entirely at Kong's discretion to decide whether a bug is significant enough to qualify for an award. Security issues that typically would be eligible (though not necessarily in all cases) include:
We offer rewards for reports of confirmed, unique vulnerabilities as follows:
Please note that only the first report we receive about a given vulnerability will be rewarded. We cannot provide rewards where prohibited by law, including for reports originating from sanctioned countries.
If you have any questions about our Vulnerability Disclosure Program, please contact vulnerability@konghq.com.