Kong's Bug Bounty Program
Introduction
Welcome to Kong's Bug Bounty Program! We're excited to collaborate with the security community to protect our API management, service mesh, and connectivity products. Your research helps secure Kong Gateway, Konnect, Insomnia, and more. Thanks for helping us build a safer, more connected world.
Program Highlights
- Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor
- Coordinated Vulnerability Disclosure: Undeclared
- Top Response Efficiency: This program's response efficiency is above 90%
Response Times
- Average time to first response: 16 hours
- Average time to triage: 2 days, 13 hours
- Average time to bounty: 4 days, 10 hours
- Average time from submission to bounty: 6 days, 23 hours
- Average time to resolution: 1 month, 2 weeks
Rewards Summary
Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and reward decisions are at the discretion of Kong.
| Severity | Average Bounty | Percentage of Submissions |
|---|
| Low | n/a | 16% |
| Medium | $100 | 36% |
| High | n/a | 24% |
| Critical | $1,000 | 24% |
Scope Exclusions
Core Ineligible Findings
Leak Credentials: Excluding leaked Konnect credentials. Kong uses Auth0 with MFA enforcement, breached password detection via HaveIBeenPwned, and account lockout features to mitigate risk. Credential leaks typically occur outside Kong's control (password reuse, third-party breaches, phishing).
Kong Organization Data Enumeration: Kong allows authenticated org members to view users/roles/teams by design for transparency. NOT vulnerabilities: /v3/users or /v3/teams enumeration, "Analytic View Only" role data access. Must show: unauthorized modification, cross-org access, or privilege escalation.
Platform Standards Deviations
Kong does not collect sensitive personally identifiable information from customers, so severity rating for leakage of such information does not apply.
Disclosure Policy
As this is a private program, you may not disclose or discuss any details of your findings—including resolved issues—outside this program without express written permission from Kong.
All communications with Kong's security team must remain confidential. After the report is closed, please delete all artifacts (e.g., PoC code, screenshots, recordings).
Program Rules
Please follow these rules to participate:
- Submit one vulnerability per report unless chaining is required for impact.
- Provide clear, reproducible steps. Reports that cannot be validated will not be rewarded.
- Only the first valid report for a given issue will be eligible for a bounty.
- Multiple issues stemming from the same root cause may be grouped into a single reward.
- Only test accounts you own or are explicitly authorized to test.
- Ask before testing unscoped subdomains.
- Do not exploit, escalate, or pivot from discovered vulnerabilities.
- Do not engage in:
- Social engineering (phishing, vishing, smishing)
- DDoS, spam, or physical attacks
- Unauthorized access to other users' data or accounts
- If you discover a critical issue (e.g., full system access), stop testing and report it immediately.
- Threatening behavior or abuse will result in immediate disqualification.
- We do not allow participation from sanctioned countries or where prohibited by law.
Reward Program Eligibility
To be eligible for a reward:
- Be the first to report the issue.
- Include detailed, actionable information that demonstrates impact.
- Allow Kong a reasonable amount of time to remediate before disclosing.
- Avoid service degradation, data destruction, or privacy violations.
- Do not exploit the issue or violate applicable laws during testing.
- Only submit findings that affect Confidentiality, Integrity, or Availability.
- If a vulnerability is misused or weaponized, eligibility is revoked.
- Reports must include sufficient detail to assess security impact and reproducibility.
CVE Assignment & Attribution
Kong is a CVE Numbering Authority (CNA) and may assign CVE IDs to validated vulnerabilities in Kong products.
- Kong will handle CVE publication and coordinate with researchers for accurate attribution (if desired).
- Not all valid reports will receive a CVE, but Kong reserves the right to assign when appropriate.
In-Scope Vulnerabilities
Kong is primarily interested in impactful vulnerabilities affecting Kong services and products, including but not limited to:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- SQL Injection
- Server-Side Request Forgery (SSRF)
- Authentication Bypass
- Privilege Escalation
- Local/Remote File Inclusion
- Sensitive Data Exposure
- Protection Mechanism Bypasses
- Directory Traversal
- Unauthenticated Admin Interfaces
- Open Redirects with credential/token impact
Out-of-Scope Vulnerabilities
Kong follows HackerOne's Core Ineligible Findings list. Any vulnerabilities categorized as ineligible by HackerOne are also considered out of scope for this program.
Legal Notes
- You must be 18 years or older to participate.
- You must not reside in or be associated with any country or entity on U.S. sanctions lists.
- You are responsible for any taxes associated with your reward.
- Kong reserves the right to modify or terminate this program at any time.
- All eligibility and reward decisions are at Kong's sole discretion.
Contact
For questions, please contact: [email protected]
