Responsible Disclosure
The integrity and safety of our customers' data is top priority for us. We go to great lengths providing a safe environment, but we are not as naïve to think our systems are bullet proof. There may be instances, where security flaws exist in our systems. We encourage you, if you've discovered a vulnerability in our systems to help us improve: vulnerability@kaddio.com
General elegibility
- The security bug must be original and previously unreported.
- You should use your best effort not to access, modify, delete, or store User Data
- Lack of clickjacking protection (XFO, CSP) is insufficient to claim a bounty
- No other sites or subdomains than those listed in the table below is eligible for a bounty
Scope
| Bug classification | demo.kaddio.com | call.kaddio.com | kaddio.com |
|---|---|---|---|
| Remote Code Execution | $30 | $20 | HoF (Hall of Fame) |
| Unauthorised Data Access | $30 | $20 | HoF |
| Authentication Bypass | $30 | $20 | HoF |
| Database Injection | $30 | HoF | HoF |
| Domain Takeovers | $20 | $20 | $20 |
| XSS | $20 | $20 | HoF |
| Vulnerabilities with encryption | $20 | $20 | HoF |
| Clickjacking | HoF | HoF | HoF |
Exclusions
- Social engineering attacks (phishing)
- Spam and flaws related to DKIM, SPF or DMARC
- Denial-of-service attacks
- Rate limiting issues
We will investigate all reports and keep you in the loop. As a small company we cannot provide much of a Bug Bounty, altough we will mention you on our HoF-page. When you're disclosing an issue, please include your name, Type of bug, a Proof of Concept and the Domain.
Kaddio Responsible Disclosure
September 5, 2018
Kaddio Security Researcher Hall of Fame
| Date | Researcher |
|---|---|
| 2018, August | Vipul Zilpelwar |
| 2018, July | Ismail Tasdelen |
| 2018, July | k.karthickumar - Cisco Systems Chennai |
| 2018, June | Maulik Vaidh, @Maulik1827 |
| 2018, May | Jineesh Ak |