Kontent.ai Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

- In connection with your participation in this program, you agree to comply with the Terms of Service and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kontent.ai reserves the right to change or modify the terms of this program at any time.
- Any illegal activity is prohibited.
- Do not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kontent.ai employees) or otherwise share vulnerabilities with a third party without the express written permission of Kontent.ai .
- Do not contact Kontent.ai Support by any means in relation to this program (pre-validating reports, testing them, asking for updates, etc.)
- If you have any concerns or are uncertain whether the security research is consistent with this policy, please contact [email protected] before going any further. Do not use any other email contacts.

We’re particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- XSS resulting in access to sensitive data (e.g., session info)
- Insecure direct object reference resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality

We are not interested in the following types of issues:
- Any testing of public contact forms (e.g. demo request) is forbidden
- Attacks requiring physical access to a users device
- Phishing techniques
- Disclosure of known public files or directories (e.g., robots.txt)
- Missing DNS records (e.g., SSL CAA, DMARC, and SPF)
- Banner disclosure on common/public services
- HTTP/TLS configuration issues without demonstrable impact
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- CSP, Security header configuration suggestions
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- CSRF on forms that are available to anonymous users
- Username enumeration on login or forgot password pages
- Rate limit bypasses where throttling is not in place
- Unauthenticated cache purge
- API key disclosure without proven business impact
- Self-XSS that cannot be used to exploit other users
- Absence of password length limits
- Bypassing rate-limits or the non-existence of rate-limits
- Host header injection without proven business impact
- Attacks requiring man-in-the-middle or compromised user accounts
- Cookie bomb DoS

Testing Requirements:

- If applicable, include PoC screenshots, video, or description in your report.
- Use X-BugBounty header in your testing requests. The value of the header can be anything, but preferably use your Open Bug Bounty username, for example: X-BugBounty: 1337haxor.
- Use of automated tools and scanners is prohibited.
- If your actions have a significant impact on availability or system performance, we will block your access.
- Notify us as soon as possible after you discover a real or potential security issue.
- Test vulnerabilities only on accounts you own or on accounts you have permission to test from the account holder.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Do not engage in any activity that would be disruptive, damaging, or harmful to Kontent.ai , its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially using automated tools.
- Do not test third-party websites, applications, or services that integrate with Kontent.ai services without their permission.

Following systems and services are in the scope:
- Kontent.ai client → https://app.kontent.ai
- Management API v2 → https://manage.kontent.ai/v2
- Deliver API → https://deliver.kontent.ai
- Delivery GraphQL API → https://graphql.kontent.ai
- Presentation website → https://kontent.ai

Any systems or services not expressly listed above are excluded from the scope and are not authorized for testing.

Possible Awards:

- When you are the first to report to us a qualifying bug using the above-mentioned channel, you may be eligible for a reward, provided that the knowledge of the bug was not made publicly available by you or a third person. Rewards are based on the severity of the reported bugs as determined by Kontent.ai based on Bugcrowd VRT at its sole discretion. Rewards are paid in the form of Amazon vouchers (or another form), in the amounts determined by Kontent.ai.

- The reporter is responsible for any taxes due by you. There may be additional restrictions on your ability to participate in this program depending upon your local law and laws on international sanctions, embargoes, etc.

- This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay out a reward is at our sole discretion.
- P1: $300
- P2: $150
- P3: $100
- P4: $20
- P5: $0

The severity of findings from the "Varies" category is determined exclusively by Kontent.ai security team.

Special Notes:

You must not disclose or discuss any found vulnerabilities anywhere to be eligible to receive an award.

Other Submissions Handling