Smoooth hacking
Klarna's vulnerability disclosure program (VDP) is limited to security vulnerabilities that may be present in assets owned by Klarna. Our program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability, or confidentiality of Klarna products, services, or infrastructure. Be mindful that this is a vulnerability disclosure program. In other words, Klarna does not provide bounties/rewards for reported vulnerabilities.
If you believe you have found a qualifying security vulnerability in a Klarna product, service, or website, please submit a report in accordance with the guidelines below.
Response targets
Klarna will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of response | SLA in business days |
|---|
| First response | 1 day |
| Time to triage | 2 days |
| Time to bounty | 10 days |
| Time to resolution | depends on severity and complexity |
We will try to keep you informed about our progress throughout the process.
Disclosure policy
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- Do not include Personally Identifiable Information (PII) in your vulnerability report. However, please do inform us if you are able to disclose it in any way
- Follow HackerOne's disclosure guidelines
Program rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it may be classified as N/A.
- The use of any "HackerOne" identifier (e.g. custom HTTP headers, "[email protected]" email address, etc.) helps us recognize your traffic. Please use them whenever possible
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
- Different regions have distinct log-in flows, functionalities, etc. Klarna will not provide a comprehensive list of the differences, but researchers are encouraged to test/download any of them, as long as they are within the scope of testing
- Social engineering (e.g. phishing and the like) is prohibited
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- The majority of our scope is located in a production/live environment. Please keep this in mind and be careful with tests that may affect customers and/or merchant operations
- If you come across any private customer/merchant data during testing, please notify us immediately
- Only interact with accounts you own or with the explicit permission of the account holder
- Use of automated scanners, tools, and the like is strictly disallowed
Scope
Security vulnerabilities that are identified in Klarna products, services, or in website domains owned, operated, or controlled by Klarna are in scope. Issues without a proven security impact submitted to our program will be closed out. Please review our out-of-scope sections before submitting your report.
Third party software, services, and domains
Security issues found on third-party assets which are not managed by Klarna are considered out of scope, and should therefore be reported to the affected party directly. Please perform both of the following validations to ensure that your target does not belong to an externally-owned application:
- whois ; confirm that the 'Registrant Organization' value corresponds to 'Klarna *'
- dig ; ensure that DNS records do not point to a third party
Out-of-scope vulnerabilities (general)
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Any hard-coded API tokens and secrets for the time being. Klarna is aware of these issues and is working on them internally
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device
- Previously known vulnerable libraries without a working proof of concept (PoC)
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our services (DoS)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Lack of security-related HTTP headers (e.g.: HSTS, X-XSS-Protection, X-Content-Type, etc.)
- Missing best practices in Content Security Policy (CSP)
- Missing "HttpOnly" or "Secure" flags on cookies
- Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
- Software version disclosure/banner identification issues/descriptive error messages or headers (e.g. stack traces, application or server errors)
- Vulnerabilities in third-party software which have had an official patch for less than one month will be awarded on a case-by-case basis
- Vulnerabilities that require social engineering/phishing of Klarna's staff, customers, or contractors
- Open-redirect issues without a proven security impact
- Issues that require unlikely user interactions
Out-of-scope vulnerabilities (Android and iOS)
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Absence of certificate pinning
- Shared links leaked through the system clipboard
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted in the file system and/or external storage
- Lack of obfuscation
- OAuth "app secret" hard-coded/recoverable
- Crashes due to malformed URL schemes or intents sent to exported Activity/Service/BroadcastReceive
- Any kind of sensitive data stored in the app's private directory
- Lack of binary protection (anti-debugging) controls
- Lack of exploit mitigations (e.g. PIE, ARC, or stack canaries)
- Lack of jailbreak
- Path disclosure in the binary
- Snapshot/pasteboard leakage
- Runtime hacking exploits (e.g. exploits that are only possible in a jailbroken environment)
Legal
- You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this bug bounty program
- You agree that you shall not, without the prior written consent of Klarna in each instance, use in advertising, publicity, or otherwise the name of Klarna or its affiliated companies or any trade name, trademark, or symbols owned by Klarna or its affiliated companies
- You agree that all information acquired or accessed by you (including any and all Klarna data) as part of this exercise, and the vulnerability reports created by you, is confidential to Klarna
- You shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work
- You acknowledge and agree that any and all information you encounter is owned by Klarna, its affiliated companies, or its third-party providers, clients, or customers. You have no rights, title, or ownership to any information that you may encounter
- By submitting a vulnerability report, you consent to your information being transferred to Klarna and acknowledge that you have read and accepted these terms and applicable privacy policy presented to you when you created your account and/or when entering into this program
- Your testing must not violate any law, disrupt or compromise any data that is not your own. You may not process any data from Klarna's systems, including any personal data (ie. data directly or indirectly related to an identifiable person), when conducting your review, or preparing your vulnerability report
- If you come across data from Klarna's systems or any personal data (which may for example concern Klarna's customers, employees, etc.) when creating your vulnerability report under this program, you shall immediately permanently erase and/or return such personal data to Klarna, and not use it for any purposes
- Klarna's employees and contingent workers, as well as their immediate family members and persons living in the same household, or third parties that are/were engaged in developing code for Klarna are not eligible to receive bounties or rewards of any kind under this bug bounty program
Safe harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Your participation in our bug bounty program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the rules set forth on this page. Klarna reserves the right to modify or terminate this program at any time.
We value the positive impact of your work and thank you in advance for your contribution in helping to keep Klarna and our customers safe!
