Bug Bounty Program
At Kentico, we are committed to delivering secure products. While our internal security team works hard to identify vulnerabilities before reaching production, we recognize the value of external expertise. We invite skilled security researchers and pentesters to participate in our private bug bounty program. By joining forces, we can collectively improve the security of our software and protect our users.
By submitting reports or otherwise participating in this program, you agree that you have read and will abide by the program rules and legal terms, which are listed below.
Program Rules
Violation of any of these rules may result in ineligibility for a bounty and disqualification from the bug bounty program.
- Any illegal activity is prohibited. Only test vulnerabilities on accounts that you own or that the account owner has authorized you to test.
- Never use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof-of-concept only to demonstrate an issue.
- Researchers are not authorized to and must not engage in any activity that would be disruptive, damaging, or harmful to Kentico, its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially automated tools, against users, employees, or Kentico as a whole.
- Testing of third-party websites, applications, or services integrated into in-scope products is not allowed.
- Excessive or repetitive submissions, messages, or requests without valid cause are prohibited. We will always get back to you once we finish the triage of the issue.
- Use of offensive, degrading, or inappropriate language will result in immediate disqualification from this program. Please keep the communication civil.
- Contacting Kentico through means other than those specified below regarding the bounty program (pre-validating reports, testing, requesting updates, etc.) is not allowed.
Scope
Please make sure your findings are within the current scope of our bug bounty program before reporting. Reports that are out of scope will not be eligible for a cash reward. For the tested application, use the latest released version available.
Xperience by Kentico
- All 3 templates published as NuGet Template Kentico.Xperience.Templates
See our documentation on how to set up a local instance, a 30-day evaluation license can be obtained via the Client portal.
Xperience by Kentico integrations
Follow the README.md in each repository to learn how to set up and run the integrations.
Please note that the domain kentico.com and its subdomains are currently out of scope.
Issues not to report:
Before submitting your report, please make sure your issue is not on the exclusion list below. Reports on the following items will automatically be marked as “out of scope” and will not be eligible for a bounty:
Xperience by Kentico
- Application and environment security misconfiguration
- AI features (AIRA), e.g.: prompt injections
- Vulnerabilities in third-party libraries without direct impact on product
- XSS injected from HTML editor (Froala)
- Clickjacking on pages without sensitive actions (missing X-Frame-Options)
- Absence of HttpOnly and Secure flag on non-sensitive cookies
General
- Disclosure of known public files or directories (e.g. robots.txt)
- Absence of best configuration practices like CSP, DNSSEC, HTTPS, SPF or DKIM records
- Software banner and other version information disclosure
- Attacks that require physical access to a user's device
- Man-in-the-middle (MITM) attacks
- Phishing or Social Engineering Techniques
- Cross-Site Request Forgery (CSRF) for logout and unauthenticated forms
- Vulnerabilities related to an outdated browser and its autocomplete/save password functionality
Rewards
Valid findings will be rewarded based on severity as determined by Kentico at its sole discretion. You will be eligible for a financial bounty only if you are the first person to disclose an unknown issue within the scope of this program.
All rewards will be paid via Amazon vouchers based on the payout table below. There are currently no other payment options available, such as PayPal or bank transfer.
Severity | Low | Medium | High | Critical |
Xperience by Kentico Integrations | $100 Amazon voucher | $200 Amazon voucher | $500 Amazon voucher | $700 Amazon voucher |
Responsible disclosure
Researchers may not publicly disclose vulnerabilities (share details with anyone other than authorized Kentico employees) or otherwise share vulnerabilities with third parties without explicit written permission from Kentico. This gives us enough time to properly address issues before the report is made public.
Exclusions
Kentico employees (including former employees who have separated from Kentico within the last 12 months), contingent workers, contractors (including their staff), consultants, and their immediate family members/people living in the same household are not eligible to receive bounties or rewards of any kind under the Kentico Bug Bounty Program.
Legal Terms
In connection with your participation in this program, you agree to comply with the Kentico Privacy Policy and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.
Kentico reserves the right to change or modify the terms and conditions of this program at any time.
Safe Harbor
Kentico will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with the Bug Bounty Program Policy.
Reporting Guidelines
If you believe you've found a security vulnerability within the scope of the bug bounty program, we encourage you to let us know immediately using the form below or by sending a report to our email bugbounty@kentico.com. We ask that you keep the issue private until we have a chance to address it. We won't pursue legal action as long as you make a good faith effort to avoid privacy violations and destructive exploitation of the vulnerability.
Please include the following information in your report
- A detailed and step-by-step proof of concept (PoC) demonstrating your findings so we can verify their validity. We won't process any reports without PoC. If we don't have enough information to reproduce the problem, the validation process will be slowed down.
- Impact of the vulnerability
- Use screenshots or screen captures in your report. The more information we have, the faster we can get back to you.
- Please do not submit reports from automated tools.