Bug Bounty

We are committed to security of our products.

Found bugs?

We at KodeMint welcome skilled researchers to share with us any impactful and in-scope issues and the techniques used to exploit them in our products.

If you believe you've found a security bug in our apps or services, we appreciate your cooperation in responsibly investigating and reporting it to us. We are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

You can submit your reports by sending us an email at hi@kodemint.in. While submitting your report kindly provide following details:

  • Your Name
  • Your Email
  • Type of Bug / Concern
  • Title
  • Description
  • Steps to Reproduce
  • Probable Solution
  • URL

Rewards

Our Bug Bounty Program offers bounties for bugs which meet the following criteria:

The bug has a direct security impact and falls under one of our Vulnerability Categories. The minimum reward for eligible bugs is $10 USD and maximum reward can be upto $500 USD.

Bounty amounts are decided by the KodeMint team and are not negotiable. One valid bug equals one reward. Acceptance requires multiple valid reports and remains at the discretion of our team.

Eligibility

You should be the first to report this issue to us. Your submission must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed. You must agree to participate in testing the effectiveness of the countermeasure applied to your report. You agree to keep any communication with KodeMint private.

The bug reports must be related to one of our products! Do not submit reports related to our website, product web pages, third-party packages and third-party packages installed on sub-domains. For example any report on kodemint.in, auth.kodemint.in, signal.kodemint.in, signalv2.kodemint.in, ice.kodemint.in, janus.kodemint.in etc. will be ignored.

The bug must falls under one of our items explicitly listed as Vulnerability Categories here: Cross-Site Request Forgery, Cross-Site Scripting, Open Redirects, Cross Origin Resource Sharing, SQL injections, Server Side Request Forgery, Privilege Escalation, Local File Inclusion, Remote File Inclusion, Leakage of Sensitive Data, Authentication Bypass, Directory Traversal, Payment Manipulation, Remote Code Execution

Rules

  • Don't violate the privacy of other users, destroy data, disrupt our services, etc.
  • Don't request updates on an hourly basis. We are handling dozens of reports daily and spam impacts KodeMint's Bug Bounty Program efficiency.
  • Wait for the response from us after submission, once KodeMint team determines the validity of your submission, we will get back to you.
  • Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • In case you find a severe vulnerability that allows system access, you must not proceed further.
  • It is KodeMint's decision to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than KodeMint is forbidden, all bug reports are to remain at the reporter and KodeMint's discretion.
  • Threatening of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
  • Bug disclosure communications with KodeMint's Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

If you need to share screenshots or videos, please upload to your own Google Drive or any other upload service that is NOT public, and share with us the links to those files in the form.

Please allow us up to 10 days to respond before sending another email on the matter.