Kiavi
External Program
Submit bugs directly to this organization
Kiavi
Kiavi previously LendingHome appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities and to recognize you for your effort to make the Internet a better place.
Kiavi asks that you only test on our matrix server which mimics our production systems (https://www.lh-matrix.com). Testing on lh-matrix.com will avoid most rate limits and Web Application Firewall temporary bans. Running through the initial flow will prompt you to create a new username at the appropriate time that you can return to. Please create any accounts with your @wearehackerone.com email address. You can create multiple accounts if necessary by using VERP notation, ie: [email protected].
All Hackerone Core Ineligible Findings and the following issues are outside the scope of our program: Reports from automated tools or scans. Content-related issues (broken external links, typos, outdated information) that do not directly impact the security of Kiavi's systems or user data Attacks requiring physical access to a user's device. Any physical attempts against Kiavi employees, property, or data centers. Missing security headers which do not lead directly to a vulnerability. Missing best practices (Kiavi requires evidence of a security vulnerability). The presence/absence of SPF/DMARC/HSTS/CAA DNS records. The presence/absence of COOP/COEP/CORS headers. Password, email and account policies, such as email id verification, reset link expiration, password complexity. Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token). Host header injections unless you can show how they can lead to stealing user data. Use of a known-vulnerable library (without evidence of exploitability). Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking). Presence of autocomplete attribute on web forms. Missing cookie flags on non-sensitive cookies. Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept). Any access to data where the targeted user needs to be operating a rooted mobile device. Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML. Absence of rate-limiting, unless related to authentication. Hyperlink injection or any link injection in emails Kiavi sends. Phishing risk via Unicode/Punycode or RTLO issues. Being able to upload files with the wrong extension in the chooser. Subdomain takeovers without a complete proof of concept. Editable Github wikis. AWS Temporary Credentials for supporting file uploads at /aws_s3/temporary_credentials
This is a vulnerability disclosure program and therefore we will not be rewarding bounties on the HackerOne platform.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct.
Kiavi will not negotiate in response to duress or threats (e.g., we will not negotiate a payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without Kiavi's prior written approval.
We may modify the Program Terms or cancel the Vulnerability Disclosure Program at any time.