Smoooth hacking
Klarna looks forward to working with the security community to find vulnerabilities in order to keep its businesses and customers safe. Our program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability, or confidentiality of Klarna products, services, or infrastructure.
If you believe you have found a qualifying security vulnerability in any of the assets that are part of the scope described on this page, please submit a report in accordance with the guidelines below.
Priority Targets
This section highlights the vulnerabilities we are most interested in at any given time. These priorities may change periodically to reflect our current security goals and to direct research toward areas that provide the most value to Klarna's security. Please check back regularly for updates.
We’re currently not offering bonuses or prioritizing any specific vulnerabilities. Please make sure you’re signed up for our updates so you’ll be informed when we add new priorities!
 
Merchant Portal and Klarna App testing plans
Merchant Portal
Hackers should consider that certain features are only enabled for certain markets, and should test several different markets to ensure that they have a global overview of Klarna's product offering. For example, the BankID authentication flow is only available in Sweden. ** Hackers should test in the playground environment only. **
Test Plan
In order to get full access to the playground version of the Merchant Portal, follow the steps below.
- Go to https://docs.klarna.com/
- Click on the 'Log In' button in the top right corner.
- Select the region you're interested in.
- Set 'Playground' as the environment.
- Click 'Sign Up'.
A good starting point for getting familiar with Merchant Portal, are the documents and links below.
Klarna App (Android & iOS)
Klarna App (Android & iOS) and all of its APIs.
Test Plan
- Users are able to sign up for free accounts through our in-scope mobile app. We do not provide credentials for testing at this time.
- Please use your hacker email alias (e.g. [email protected]) when testing. Reports submitted not using your HackerOne email alias may not be accepted or may have a reduced bounty.
Response targets
Klarna will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of response | SLA in business days |
|---|
| First response | 1 day |
| Time to triage | 2 days |
| Time to bounty | 10 days |
| Time to resolution | depends on severity and complexity |
We will try to keep you informed about our progress throughout the process.
Disclosure policy
- Please do not discuss any unresolved vulnerabilities outside of the program without express consent from the organization
- Do not include Personally Identifiable Information (PII) in your vulnerability report. However, please do inform us if you are able to disclose it in any way
- Follow HackerOne's disclosure guidelines
Program rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it may not be eligible for a reward.
- The use of any "HackerOne" identifier (e.g. custom HTTP headers, "[email protected]" email address, etc.) helps us recognize your traffic. Please use them whenever possible
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
- Different regions have distinct log-in flows, functionalities, etc. Klarna will not provide a comprehensive list of the differences, but researchers are encouraged to test/download any of them, as long as they are within the scope of testing
- Social engineering (e.g. phishing and the like) is prohibited
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- If you come across any private customer/merchant data during testing, please notify us immediately
- Only interact with accounts you own or with the explicit permission of the account holder
- Use of automated scanners, tools, and the like is strictly disallowed
- The standard payout for in-scope subdomain takeover vulnerabilities is $150.
- The standard payout for retests is $50.
- Do not attempt to pivot in any way or attempt to elevate privileges or explore a system beyond the minimum necessary to prove access. This will disqualify you from receiving a bounty.
Third party software, services, and domains
Security issues found on third-party assets which are not managed by Klarna are considered out of scope, and should therefore be reported to the affected party directly. Please perform both of the following validations to ensure that your target does not belong to an externally-owned application:
- whois ; confirm that the 'Registrant Organization' value corresponds to 'Klarna *'
- dig ; ensure that DNS records do not point to a third party
Some subdomains under our wildcard assets may be operated by third parties; these are not in scope for this program unless expressly stated otherwise.
Out-of-scope vulnerabilities (general)
Klarna places special emphasis on the security, integrity and availability of its data and systems and thus also on those of its customers, employees and partners. We value the work of security researchers in improving the security of our products and services and encourage the community to participate in our bug bounty program.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device
- Previously known vulnerable libraries without a working proof of concept (PoC)
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our services (DoS)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Any issues related to the use of HTTP Basic Authentication
- Lack of security-related HTTP headers (e.g.: HSTS, X-XSS-Protection, X-Content-Type, etc.)
- Missing best practices in Content Security Policy (CSP)
- Missing "HttpOnly" or "Secure" flags on cookies
- Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
- Software version disclosure/banner identification issues/descriptive error messages or headers (e.g. stack traces, application or server errors)
- Vulnerabilities in third-party software which have had an official patch for less than one month will be awarded on a case-by-case basis
- Rewards for 0-days in third-party software will be awarded on a case-by-case basis
- Vulnerabilities that require social engineering/phishing of Klarna's staff, customers, or contractors
- Open-redirect issues (unless there's an exceptional impact, i.e. in OAuth applications)
- Issues that require unlikely user interactions
Legal
- You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this bug bounty program
- You agree that you shall not, without the prior written consent of Klarna in each instance, use in advertising, publicity, or otherwise the name of Klarna or its affiliated companies or any trade name, trademark, or symbols owned by Klarna or its affiliated companies
- You agree that all information acquired or accessed by you (including any and all Klarna data) as part of this exercise, and the vulnerability reports created by you, is confidential to Klarna
- You shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work
- You acknowledge and agree that any and all information you encounter is owned by Klarna, its affiliated companies, or its third-party providers, clients, or customers. You have no rights, title, or ownership to any information that you may encounter
- By submitting a vulnerability report, you consent to your information being transferred to Klarna and acknowledge that you have read and accepted these terms and applicable privacy policy presented to you when you created your account and/or when entering into this program
- Your testing must not violate any law, disrupt or compromise any data that is not your own. You may not process any data from Klarna's systems, including any personal data (ie. data directly or indirectly related to an identifiable person), when conducting your review, or preparing your vulnerability report
- If you come across data from Klarna's systems or any personal data (which may for example concern Klarna's customers, employees, etc.) when creating your vulnerability report under this program, you shall immediately permanently erase and/or return such personal data to Klarna, and not use it for any purposes
- Klarna's employees and contingent workers, as well as their immediate family members and persons living in the same household, or third parties that are/were engaged in developing code for Klarna are not eligible to receive bounties or rewards of any kind under this bug bounty program
