[{"id":3774966,"new_policy":"# Kong's Bug Bounty Policy\n\nAt Kong, security is a top priority. We value the contributions of the security research community in helping keep our products, services, and users safe. If you discover a vulnerability, we welcome your report and are committed to working with you to address the issue quickly—and to recognizing your efforts with fair rewards.\n\n---\n\n## 🔐 Disclosure Policy\n\nAs this is a **private program**, you may **not disclose or discuss any details** of your findings—including resolved issues—outside this program **without express written permission** from Kong.\n\nPlease also follow [HackerOne’s Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nAll communications with Kong’s security team must remain confidential. After the report is closed, please **delete all artifacts** (e.g., PoC code, screenshots, recordings).\n\n---\n\n## 📜 Program Rules\n\nPlease follow these rules to participate:\n\n- Submit **one vulnerability per report** unless chaining is required for impact.\n- Provide **clear, reproducible steps**. Reports that cannot be validated will not be rewarded.\n- Only the **first valid report** for a given issue will be eligible for a bounty.\n- Multiple issues stemming from the same root cause may be **grouped into a single reward**.\n- Only test accounts you own or are explicitly authorized to test.\n- **Ask before testing unscoped subdomains.**\n- Do **not exploit, escalate, or pivot** from discovered vulnerabilities.\n- Do **not engage in**:\n  - Social engineering (phishing, vishing, smishing)\n  - DDoS, spam, or physical attacks\n  - Unauthorized access to other users' data or accounts\n- If you discover a critical issue (e.g., full system access), **stop testing and report it immediately**.\n- Threatening behavior or abuse will result in **immediate disqualification**.\n- We do not allow participation from **sanctioned countries** or where prohibited by law.\n\n---\n\n## 💰 Reward Program Eligibility\n\nTo be eligible for a reward:\n\n- Be the **first** to report the issue.\n- Include **detailed, actionable information** that demonstrates impact.\n- Allow Kong a **reasonable amount of time** to remediate before disclosing.\n- Avoid service degradation, data destruction, or privacy violations.\n- Do not exploit the issue or violate applicable laws during testing.\n- Only submit findings that affect **Confidentiality, Integrity, or Availability**.\n- If a vulnerability is misused or weaponized, eligibility is revoked.\n- Reports must include sufficient detail to assess security impact and reproducibility.\n\n---\n\n## 🧾 CVE Assignment \u0026 Attribution\n\nKong is a [CVE Numbering Authority (CNA)](https://www.cve.org/PartnerInformation/ListofPartners/partner/Kong) and may assign **CVE IDs** to validated vulnerabilities in Kong products.\n\n- Kong will handle CVE publication and coordinate with researchers for accurate attribution (if desired).\n- Not all valid reports will receive a CVE, but we reserve the right to assign when appropriate.\n\n---\n\n## ✅ In-Scope Vulnerabilities\n\nWe are primarily interested in impactful vulnerabilities affecting Kong services and products, including but not limited to:\n\n- Cross-Site Request Forgery (CSRF)\n- Cross-Site Scripting (XSS)\n- Remote Code Execution (RCE)\n- SQL Injection\n- Server-Side Request Forgery (SSRF)\n- Authentication Bypass\n- Privilege Escalation\n- Local/Remote File Inclusion\n- Sensitive Data Exposure\n- Protection Mechanism Bypasses\n- Directory Traversal\n- Unauthenticated Admin Interfaces\n- Open Redirects with credential/token impact\n\n---\n\n## 🚫 Out-of-Scope Vulnerabilities\n\nKong follows [HackerOne’s Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings) list. Any vulnerabilities categorized as ineligible by HackerOne are also considered **out of scope** for this program.\n\n---\n\n## ⚖️ Legal Notes\n\n- You must be **18 years or older** to participate.\n- You must **not reside in or be associated with** any country or entity on U.S. sanctions lists.\n- You are responsible for any **taxes** associated with your reward.\n- Kong reserves the right to **modify or terminate** this program at any time.\n- All eligibility and reward decisions are **at Kong’s sole discretion**.\n\n---\n\n## 🙏 Thank You\n\nWe appreciate your efforts to help secure Kong. Please submit your reports through this HackerOne program.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Undeclared","introduction":"Welcome to Kong’s Bug Bounty Program! We’re excited to collaborate with the security community to protect our API management, service mesh, and connectivity products. Your research helps secure Kong Gateway, Konnect, Insomnia, and more. Thanks for helping us build a safer, more connected world.","platform_standards_exclusions":["{\"platform_standard\":\"LEAKAGE_SENSITIVE_PII\",\"justification\":\"Kong doesn't collect this information from our customers\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Leak Credentials\",\"details\":\"Excluding leaked Konnect credentials. We use Auth0 with: MFA enforcement, breached password detection via HaveIBeenPwned, and account lockout features to mitigate risk. Credential leaks typically occur outside Kong's control (password reuse, third-party breaches, phishing).\"}","{\"category\":\"Kong Organization Data Enumeration\",\"details\":\"Kong allows authenticated org members to view users/roles/teams by design for transparency. NOT vulnerabilities: /v3/users or /v3/teams enumeration, \\\"Analytic View Only\\\" role data access. Must show: unauthorized modification, cross-org access, or privilege escalation.\"}"],"timestamp":"2026-05-26T14:46:25.079Z"},{"id":3764947,"new_policy":"# Kong's Bug Bounty Policy\n\nAt Kong, security is a top priority. We value the contributions of the security research community in helping keep our products, services, and users safe. If you discover a vulnerability, we welcome your report and are committed to working with you to address the issue quickly—and to recognizing your efforts with fair rewards.\n\n---\n\n## 🔐 Disclosure Policy\n\nAs this is a **private program**, you may **not disclose or discuss any details** of your findings—including resolved issues—outside this program **without express written permission** from Kong.\n\nPlease also follow [HackerOne’s Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n\nAll communications with Kong’s security team must remain confidential. After the report is closed, please **delete all artifacts** (e.g., PoC code, screenshots, recordings).\n\n---\n\n## 📜 Program Rules\n\nPlease follow these rules to participate:\n\n- Submit **one vulnerability per report** unless chaining is required for impact.\n- Provide **clear, reproducible steps**. Reports that cannot be validated will not be rewarded.\n- Only the **first valid report** for a given issue will be eligible for a bounty.\n- Multiple issues stemming from the same root cause may be **grouped into a single reward**.\n- Only test accounts you own or are explicitly authorized to test.\n- **Ask before testing unscoped subdomains.**\n- Do **not exploit, escalate, or pivot** from discovered vulnerabilities.\n- Do **not engage in**:\n  - Social engineering (phishing, vishing, smishing)\n  - DDoS, spam, or physical attacks\n  - Unauthorized access to other users' data or accounts\n- If you discover a critical issue (e.g., full system access), **stop testing and report it immediately**.\n- Threatening behavior or abuse will result in **immediate disqualification**.\n- We do not allow participation from **sanctioned countries** or where prohibited by law.\n\n---\n\n## 💰 Reward Program Eligibility\n\nTo be eligible for a reward:\n\n- Be the **first** to report the issue.\n- Include **detailed, actionable information** that demonstrates impact.\n- Allow Kong a **reasonable amount of time** to remediate before disclosing.\n- Avoid service degradation, data destruction, or privacy violations.\n- Do not exploit the issue or violate applicable laws during testing.\n- Only submit findings that affect **Confidentiality, Integrity, or Availability**.\n- If a vulnerability is misused or weaponized, eligibility is revoked.\n- Reports must include sufficient detail to assess security impact and reproducibility.\n\n---\n\n## 🧾 CVE Assignment \u0026 Attribution\n\nKong is a [CVE Numbering Authority (CNA)](https://www.cve.org/PartnerInformation/ListofPartners/partner/Kong) and may assign **CVE IDs** to validated vulnerabilities in Kong products.\n\n- Kong will handle CVE publication and coordinate with researchers for accurate attribution (if desired).\n- Not all valid reports will receive a CVE, but we reserve the right to assign when appropriate.\n\n---\n\n## ✅ In-Scope Vulnerabilities\n\nWe are primarily interested in impactful vulnerabilities affecting Kong services and products, including but not limited to:\n\n- Cross-Site Request Forgery (CSRF)\n- Cross-Site Scripting (XSS)\n- Remote Code Execution (RCE)\n- SQL Injection\n- Server-Side Request Forgery (SSRF)\n- Authentication Bypass\n- Privilege Escalation\n- Local/Remote File Inclusion\n- Sensitive Data Exposure\n- Protection Mechanism Bypasses\n- Directory Traversal\n- Unauthenticated Admin Interfaces\n- Open Redirects with credential/token impact\n\n---\n\n## 🚫 Out-of-Scope Vulnerabilities\n\nKong follows [HackerOne’s Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings) list. Any vulnerabilities categorized as ineligible by HackerOne are also considered **out of scope** for this program.\n\n---\n\n## ⚖️ Legal Notes\n\n- You must be **18 years or older** to participate.\n- You must **not reside in or be associated with** any country or entity on U.S. sanctions lists.\n- You are responsible for any **taxes** associated with your reward.\n- Kong reserves the right to **modify or terminate** this program at any time.\n- All eligibility and reward decisions are **at Kong’s sole discretion**.\n\n---\n\n## 🙏 Thank You\n\nWe appreciate your efforts to help secure Kong. Please submit your reports through this private HackerOne program or contact [vulnerability@konghq.com](mailto:vulnerability@konghq.com) with any questions.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-21T18:25:44.291Z"}]