Kickbooster is committed to protecting the privacy and security of our Campaign Owners, Boosters and Backers. Accordingly, recognizing that we may have missed something, we encourage individual security researchers to analyze our solutions to make them safer for our users. Kickbooster’s Bug Bounty Program is our way to reward security researchers for finding serious security vulnerabilities in the In-Scope properties listed below.
If you think you have found a security vulnerability in our solutions, please contact us! We’ll investigate the issue and try to resolve it quickly. Before you report an issue, review this page.
Our team strives to:
- Triage and reply to all reports within a week (where applicable)
- Determine the security impact transparently
- Award bounties within a week of resolution (excluding extenuating circumstances)
- Only close reports as N/A when the issue reported has already been identified by another researcher (known issues), lacks evidence of a vulnerability, or falls under the Out-of-Scope Vulnerabilities
Bug Bounty Program Policy
To protect both Kicbooster and security researchers, we ask you to comply with the following policies:
- Allow reasonable time to investigate and mitigate an issue you report before you publicize any information about the report or share such information with others.
- Avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
- Do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- Do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
- By submitting content to Kickbooster, you irrevocably waive all moral rights which you may have in the content.
- All content submitted by you to Kickbooster under this program is licensed under the MIT License.
- You must report any discovered vulnerability to Kickbooster as soon as you have validated the vulnerability.
- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
Kickbooster reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.
Kickbooster considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Kickbooster will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Kickbooster policy.
Upon Kickbooster’s request, you will execute, acknowledge and deliver such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.
Kickbooster Bug Bounty Guidelines
Participating in Kickbooster’s Bug Bounty Program requires that you follow our guidelines. Adhere to the following guidelines to be eligible for rewards as part of this program:
- Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
- Since we’re handling many reports and spam impacts our efficiency, don’t request updates on an hourly basis.
- Threatening behaviour of any kind will automatically disqualify you from participating in the program.
- Don’t target, attempt to access, or otherwise disrupt the accounts of other users. All investigative targets must be accounts you own.
- Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.
- Don’t target our physical security measures, or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
- If you find a severe vulnerability that allows system access, you must not proceed further.
- Disclosing bugs to a party other than Kickbooster is forbidden, all bug reports are to remain at the reporter and Kickbooster’s discretion.
- It’s Kickbooster's decision to determine when and how bugs should be addressed and fixed.
- Bug disclosure communications with Kickbooster’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
Kickbooster Bug Bounty Scope
The following services and domains are considered in scope:
Generally speaking, any bug that poses a significant vulnerability to our users could be eligible for reward. It’s entirely at Kickbooster’s discretion to decide whether a bug is significant enough to be eligible for reward. Security issues that typically would be eligible include:
- SQL injections
- Code Executions
- Directory Traversal
- Privilege Escalations
- Authentication Bypasses
- Leakage of sensitive data
- Cross-Site Scripting (XSS)
- File inclusions (Local & Remote)
- Cross-Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Open redirects which allow stealing tokens/secrets
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Administration portals without authentication mechanism
- Discretion Based Vulnerabilities:
- Self-XSS where user could be tricked into executing the payload
- Denial of service vulnerabilities significantly impacting application functionality
Things that aren’t eligible for reward include:
- Cache Poisoning
- Content spoofing
- Missing SPF records
- Brute force attacks
- Issues that aren’t reproducible
- Lack of rate limiting mechanisms
- Distributed Denial of Service attacks
- Open redirects without a severe impact
- CSRF issues on actions with minimal impact
- Application stack traces (path disclosures, etc.)
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Theoretical subdomain takeovers with no supporting evidence
- Any exploit that a user can intentionally use against themselves or their own campaign
- Vulnerabilities affecting outdated or unpatched browsers/operating systems
- Security practices (banner revealing a software version, missing security headers, etc.)
- Bugs already known to us, or already reported by someone else (reward goes to first reporter)
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main websites.
To report an issue:
Send an email to [email protected]
Include information about the vulnerability and detailed steps on how to replicate it. The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
The report should also contain as much detailed information as you can include—ideally, a description of your findings, the steps needed to reproduce the issue, when you discovered the vulnerability and the vulnerable component.