Introduction

KOHO is a Canadian fintech company rooted in the belief that a better banking alternative exists. Our bug bounty program will allow researchers to help us improve our security for our customers to enable that better banking experience. We look forward to working with you through this program!

Positive Hacker Signal required

Due to the increase in spam and N/A report submissions coming from program participants that have a negative Signal score, we are prohibiting anyone from participating in this program if they have a Signal score at or under 0. Any reports submitted by those with a negative score will be immediately closed as Spam and then locked. We reserve the right to report the author for abuse and block them from the KOHO bug bounty program.

Response Targets

We'll try to stay within our stated SLAs and keep you informed about our progress throughout the process. We will endeavour to achieve resolution for bugs within 30 days of reporting, but may need more time to fix the issues. We'll let you know if we require more time.

Disclosure Policy

Please refrain from discussing vulnerabilities in this program without express consent from a member of the KOHO program team.

Follow HackerOne's https://www.hackerone.com/disclosure-guidelines.

Communication Policy

• All communication regarding vulnerability reports must occur exclusively through the HackerOne platform.
• Do not contact KOHO employees, executives, or official KOHO accounts through any external channels (including but not limited to social media, direct email, LinkedIn, or other messaging platforms) regarding bug bounty submissions or program-related matters.
• If you experience issues with the HackerOne platform itself, you may contact [email protected] with "HackerOne" in the subject line, but only for HackerOne platform access issues—not to discuss report status, bounty amounts, or dispute resolutions.
• Attempting to escalate or expedite reports through external channels is considered a violation of this policy.

Any participant who contacts KOHO through external channels regarding their submission will forfeit their eligibility for a bounty award on that report and may be banned from the program.

Professional Conduct

All interactions with the KOHO security team must be professional and respectful.

We are committed to treating all researchers fairly and with respect, and we expect the same in return. The following behaviours are strictly prohibited:

• Abusive, threatening, or harassing language
• Personal attacks or insults directed at KOHO employees
• Threats to publicly disclose vulnerabilities as leverage for higher bounties or faster resolution
• Demands or ultimatums regarding bounty amounts or report timelines
• Any form of intimidation or coercion
• Repeated messaging after being asked to wait for a response

We understand that disagreements may arise regarding severity assessments or bounty amounts. We welcome constructive discussion and are happy to explain our reasoning. However, disagreement does not justify unprofessional behaviour.

Violations of this policy will result in immediate forfeiture of bounty eligibility for the associated report. Severe or repeated violations will result in a permanent ban from the KOHO bug bounty program and may be reported to HackerOne for further action.

Some Geographic Restrictions Apply

Performing any authenticated testing on the KOHO application requires you to be a Canadian resident eligible to open a KOHO account. Due to our status as a financial technology company, any customer or user of the KOHO application requires passing the Know Your Customer (KYC) laws, which can only be passed by Canadian citizens at this time. We are looking at ways around this geographic restriction but, at the moment, this means non-Canadian residents can only test in-scope assets other than the KOHO mobile or web application.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we award the first report received that contains sufficient detail to reproduce the issue. If your report is marked as duplicate, we will provide the original report ID and submission date upon request.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Use the User Agent "HackerOne: username" when testing against our systems in order for us to distinguish your testing efforts against legitimate attacks (where username should be replaced with your HackerOne username).
• Our normal working hours at KOHO are between 8AM and 6PM EST. If you're going to do testing on our systems that might trigger alarms on our end, we'd truly appreciate it if you did so during business hours. Not a requirement - just helps us sleep at night :)
• No request floods (TCP, HTTP, etc) on any endpoints.
• Current and former KOHO employees and contractors are not eligible for bounty awards from this program.
• Do not sell, transfer, or disclose vulnerability details to any third party without KOHO's written consent.

Scope

Please refer to the Scope tab for the domain assets in scope. Anything not listed as In Scope is considered out of scope and not permitted for testing.

The following classes of vulnerabilities would be interesting to us and will generally have us up the criticality of a bug:

• Any vulnerability that would allow you to create a KOHO account and send transactions by bypassing our KYC protocols;
• Any vulnerability that would allow modifications to the balance of a KOHO account that are unintended (e.g. achieving a negative balance and being able to continue purchasing despite);
• Vulnerabilities that allow for user spoofing/account takeovers.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on any endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Credential stuffing
• Self-XSS (XSS that only affects the user performing the action)
• Logout CSRF
• Account enumeration via login/registration/password reset pages (unless demonstrably exploitable)
• Theoretical vulnerabilities without working proof of concept
• Vulnerabilities requiring root/jailbreak on mobile devices
• Automated scanner output without manual validation

Researcher Acknowledgement

With your permission, we may acknowledge your contribution on our security acknowledgements page.

---

Thank you for helping keep KOHO and our users safe!