Security Bug Bounty
Pump your skills, earn money, become a Hall of Famer
Kick Ecosystem Security Bug Bounty Policy
This Policy engages a set of rules and requirements to apply for the Kick Ecosystem Security Bug Bounty Program.
Eligible Targets
At this time the scope of this Program with potential money reward is limited to security vulnerabilities found in the following resources:
Security vulnerabilities found in the other Kick Ecosystem resources may be rewarded with the inclusion of the applicant into the Hall of Fame.
Some kind of security vulnerabilities are excluded from the program but we appreciate your efforts to point them out and remain the rights to reward you including into the Hall of Fame of Kick Ecosystem:

  • Self-XSS and issues exploitable only through Self-XSS
  • CSRF for non-significant actions (log out, anonymously accessible resources, etc.)
  • Spam (including issues related to SPF/DKIM/DMARC)
  • Denial-of-service attacks or issues related to rate limiting
  • Application Denial of Service by locking user accounts
  • Username enumeration based on login or forgot password pages
  • Attacks that require social engineering (phishing)
  • Content injection, such as reflected text or HTML tags
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data
  • Authentication bypasses that require access to software/hardware tokens
  • Attacks requiring physical access to a user's device
  • Assumed vulnerabilities based upon version numbers only
  • Vulnerabilities discovered shortly after their public release
  • Clickjacking, without additional details demonstrating a specific exploit
Campaign Policy
In order for you to participate in the Program, we require that:

  • You report found security bugs with a PoC and any other security findings only via a special form.
  • You give us a reasonable time to investigate and mitigate the issue you report before publicly disclosing any information about the report or sharing this information with others. This time is 90 days from the reporting date but may be extended in case of business needs.
  • You do not publish any disclosure information before making an agreement with Kick Ecosystem about allowed details of the disclosure.
  • You do not exploit a security issue (including searching for inherited risks, compromising user or company data, etc) for any reason other than for testing security, documenting the findings, and making Proof-Of-Concept (PoC) to apply for the Program.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.
    You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
  • You must not access or share any Kick Ecosystem, user information, or any other data with limited access while investigating an issue.
  • In case of accidental access to another person's data or Kick Ecosystem company data, while investigating an issue, you must include this fact in your report. The amount of accessed data is limited by the needs of creating a PoC and a report. Continuous accessing affected data leads to disqualify you from any benefit. You are not allowed to share accessed data with anyone else even after the bug will be fixed.
  • You use only your accounts to investigate an issue and make a PoC.
  • You send the vulnerability report and PoC via special form, give us your contacts and remain in touch during the time of investigation performing by our security team.

Kick Ecosystem remains the rights to change this Policy or finish the Campaign. Any Policy or Campaign changes will be published on the official Campaign page
You may be eligible to receive a financial reward if:

  • Your report and PoC is about a vulnerability of service included in Eligible Target's scope.
  • Your activities and report fully meet the requirements of the Kick Ecosystem Security Bug Bounty Program and its Policy.
  • The vulnerability is determined to be a valid security issue by the Kick Ecosystem security team according to the Kick Ecosystem risk assessment process.
  • You are the first person to submit a site or product vulnerability.
  • You are not a Kick Ecosystem partner, Kick Ecosystem employee, or author of vulnerable product/code.

Kick Ecosystem remains the right to reward the reporter by including to the Hall of Fame without financial reward if:

  • Your report does not contain working PoC or provided steps does not allow to reproduce the vulnerability exploiting.
  • Your activities or report are not fully compliant with the Campaign Policy.
  • Your report is about a vulnerability that does not affect any meaningful resources, business processes.
  • Your report is about a vulnerability that does not create meaningful business risk.

Payouts (may be adjusted for each specific finding based on results of risk analysis):

* for reports sent after 11th of June 2020.