Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,702,925 coordinated disclosures
1,382,531 fixed vulnerabilities
1,989 bug bounty programs, 3,917 websites
46,829 researchers, 1,651 honor badges

Kontent.ai Bug Bounty Program

Kontent.ai runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Kontent.ai

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Kontent.ai and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

*.kontent.ai

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

- In connection with your participation in this program, you agree to comply with the Terms of Service and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kontent.ai reserves the right to change or modify the terms of this program at any time.
- Any illegal activity is prohibited.
- Do not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kontent.ai employees) or otherwise share vulnerabilities with a third party without the express written permission of Kontent.ai .
- Do not contact Kontent.ai Support by any means in relation to this program (pre-validating reports, testing them, asking for updates, etc.)
- If you have any concerns or are uncertain whether the security research is consistent with this policy, please contact [email protected] before going any further. Do not use any other email contacts.

We’re particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- XSS resulting in access to sensitive data (e.g., session info)
- Insecure direct object reference resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality

We are not interested in the following types of issues:
- Any testing of public contact forms (e.g. demo request) is forbidden
- Attacks requiring physical access to a users device
- Phishing techniques
- Disclosure of known public files or directories (e.g., robots.txt)
- Missing DNS records (e.g., SSL CAA, DMARC, and SPF)
- Banner disclosure on common/public services
- HTTP/TLS configuration issues without demonstrable impact
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- CSP, Security header configuration suggestions
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- CSRF on forms that are available to anonymous users
- Username enumeration on login or forgot password pages
- Rate limit bypasses where throttling is not in place
- Unauthenticated cache purge
- API key disclosure without proven business impact
- Self-XSS that cannot be used to exploit other users
- Absence of password length limits
- Bypassing rate-limits or the non-existence of rate-limits
- Host header injection without proven business impact
- Attacks requiring man-in-the-middle or compromised user accounts
- Cookie bomb DoS

Testing Requirements:

- If applicable, include PoC screenshots, video, or description in your report.
- Use X-BugBounty header in your testing requests. The value of the header can be anything, but preferably use your Open Bug Bounty username, for example: X-BugBounty: 1337haxor.
- Use of automated tools and scanners is prohibited.
- If your actions have a significant impact on availability or system performance, we will block your access.
- Notify us as soon as possible after you discover a real or potential security issue.
- Test vulnerabilities only on accounts you own or on accounts you have permission to test from the account holder.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Do not engage in any activity that would be disruptive, damaging, or harmful to Kontent.ai , its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially using automated tools.
- Do not test third-party websites, applications, or services that integrate with Kontent.ai services without their permission.

Following systems and services are in the scope:
- Kontent.ai client → https://app.kontent.ai
- Management API v2 → https://manage.kontent.ai/v2
- Deliver API → https://deliver.kontent.ai
- Delivery GraphQL API → https://graphql.kontent.ai
- Presentation website → https://kontent.ai

Any systems or services not expressly listed above are excluded from the scope and are not authorized for testing.

Possible Awards:

- When you are the first to report to us a qualifying bug using the above-mentioned channel, you may be eligible for a reward, provided that the knowledge of the bug was not made publicly available by you or a third person. Rewards are based on the severity of the reported bugs as determined by Kontent.ai based on Bugcrowd VRT at its sole discretion. Rewards are paid in the form of Amazon vouchers (or another form), in the amounts determined by Kontent.ai.

- The reporter is responsible for any taxes due by you. There may be additional restrictions on your ability to participate in this program depending upon your local law and laws on international sanctions, embargoes, etc.

- This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay out a reward is at our sole discretion.
- P1: $300
- P2: $150
- P3: $100
- P4: $20
- P5: $0

The severity of findings from the "Varies" category is determined exclusively by Kontent.ai security team.

Special Notes:

You must not disclose or discuss any found vulnerabilities anywhere to be eligible to receive an award.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

[email protected]

General Requirements:

- In connection with your participation in this program, you agree to comply with the Terms of Service and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kontent.ai reserves the right to change or modify the terms of this program at any time.
- Any illegal activity is prohibited.
- Do not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kontent.ai employees) or otherwise share vulnerabilities with a third party without the express written permission of Kontent.ai .
- Do not contact Kontent.ai Support by any means in relation to this program (pre-validating reports, testing them, asking for updates, etc.)
- If you have any concerns or are uncertain whether the security research is consistent with this policy, please contact [email protected] before going any further. Do not use any other email contacts.

We’re particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- XSS resulting in access to sensitive data (e.g., session info)
- Insecure direct object reference resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality

We are not interested in the following types of issues:
- Any testing of public contact forms (e.g. demo request) is forbidden
- Attacks requiring physical access to a users device
- Phishing techniques
- Disclosure of known public files or directories (e.g., robots.txt)
- Missing DNS records (e.g., SSL CAA, DMARC, and SPF)
- Banner disclosure on common/public services
- HTTP/TLS configuration issues without demonstrable impact
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- CSP, Security header configuration suggestions
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- CSRF on forms that are available to anonymous users
- Username enumeration on login or forgot password pages
- Rate limit bypasses where throttling is not in place
- Unauthenticated cache purge
- API key disclosure without proven business impact
- Self-XSS that cannot be used to exploit other users
- Absence of password length limits
- Bypassing rate-limits or the non-existence of rate-limits
- Host header injection without proven business impact
- Attacks requiring man-in-the-middle or compromised user accounts
- Cookie bomb DoS

Testing Requirements:

- If applicable, include PoC screenshots, video, or description in your report.
- Use X-BugBounty header in your testing requests. The value of the header can be anything, but preferably use your Open Bug Bounty username, for example: X-BugBounty: 1337haxor.
- Use of automated tools and scanners is prohibited.
- If your actions have a significant impact on availability or system performance, we will block your access.
- Notify us as soon as possible after you discover a real or potential security issue.
- Test vulnerabilities only on accounts you own or on accounts you have permission to test from the account holder.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Do not engage in any activity that would be disruptive, damaging, or harmful to Kontent.ai , its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially using automated tools.
- Do not test third-party websites, applications, or services that integrate with Kontent.ai services without their permission.

Following systems and services are in the scope:
- Kontent.ai client → https://app.kontent.ai
- Management API v2 → https://manage.kontent.ai/v2
- Deliver API → https://deliver.kontent.ai
- Delivery GraphQL API → https://graphql.kontent.ai
- Presentation website → https://kontent.ai

Any systems or services not expressly listed above are excluded from the scope and are not authorized for testing.

Possible Awards:

- When you are the first to report to us a qualifying bug using the above-mentioned channel, you may be eligible for a reward, provided that the knowledge of the bug was not made publicly available by you or a third person. Rewards are based on the severity of the reported bugs as determined by Kontent.ai based on Bugcrowd VRT at its sole discretion. Rewards are paid in the form of Amazon vouchers (or another form), in the amounts determined by Kontent.ai.

- The reporter is responsible for any taxes due by you. There may be additional restrictions on your ability to participate in this program depending upon your local law and laws on international sanctions, embargoes, etc.

- This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay out a reward is at our sole discretion.
- P1: $300
- P2: $150
- P3: $100
- P4: $20
- P5: $0

The severity of findings from the "Varies" category is determined exclusively by Kontent.ai security team.

Special Notes:

You must not disclose or discuss any found vulnerabilities anywhere to be eligible to receive an award.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 19.04.2024 mlsi.gov.cy
 18.04.2024 recycleright.sa.gov.au
 17.04.2024 maps.bolton.gov.uk
 16.04.2024 fishwatch.gov
 16.04.2024 renewableenergy.gov.bd
 13.04.2024 lit.am
 13.04.2024 overnewton.vic.edu.au

  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    10 April, 2024
    Mars:
Hatim uncovered a XSS bug that we were able to quickly resolve. Thanks very much for your assistance and help.
    8 April, 2024
    Panthermedia:
Thanks to the support of Hatim Chabik, we were able to identify and solve an XSS bug.
    5 April, 2024
    pubpharm:
Pooja found a XSS vulnerability on our website and provided us with the needed Information for replication and fixing the issue. Which she verified afterwards.
We thank her for the reporting and assistance.
    2 April, 2024
    genoverband:
Thank you for your invaluable help in ensuring the security of our domain and its visitors!
    20 March, 2024
    TechVitaverdura:
Great exchanges with this person, thank you for your help and your report