KodeMint is committed to security of our products.
We welcome skilled researchers to share with us any impactful and in-scope issues and the techniques used to exploit them in our products.
If you believe you've found a security bug in our services, we appreciate your cooperation in responsibly investigating and reporting it to us. We are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Rewards
Our Bug Bounty Program offers bounties for bugs which meet the following criteria.
The bug has a direct security impact and falls under one of our Vulnerability Categories. The minimum reward for eligible bugs is $10 USD and maximum reward can be upto $500 USD.
Bounty amounts are decided by the KodeMint team and are not negotiable. One valid bug equals one reward. Acceptance requires multiple valid reports and remains at the discretion of our team.
Eligibility
You should be the first to report this issue to us. Your submission must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed. You must agree to participate in testing the effectiveness of the countermeasure applied to your report. You agree to keep any communication with KodeMint private. The bug must falls under one of our items explicitly listed as Vulnerability Categories here:
Cross-Site Request Forgery, Cross-Site Scripting, Open Redirects, Cross Origin Resource Sharing, SQL injections, Server Side Request Forgery, Privilege Escalation, Local File Inclusion, Remote File Inclusion, Leakage of Sensitive Data, Authentication Bypass, Directory Traversal, Payment Manipulation, Remote Code Execution
Rules
- Don't violate the privacy of other users, destroy data, disrupt our services, etc.
- Don't request updates on an hourly basis. We are handling dozens of reports daily and spam impacts KodeMint's Bug Bounty Program efficiency.
- Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
- Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- In case you find a severe vulnerability that allows system access, you must not proceed further.
- It is KodeMint’s decision to determine when and how bugs should be addressed and fixed.
- Disclosing bugs to a party other than KodeMint is forbidden, all bug reports are to remain at the reporter and KodeMint’s discretion.
- Threatening of any kind will automatically disqualify you from participating in the program.
- Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
- Bug disclosure communications with KodeMint’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.