Krisp looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Krisp will make a best effort to meet the following SLAs for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Do not post vulnerabilities without our consent, this includes but is not limited to: posting your proof of concept on for example, Twitter, YouTube, Vimeo, etc.
• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability.
• Do not put a backdoor in the system, not even for the purpose of showing the vulnerability as inserting a backdoor will cause even more damage to the safety of our systems.
• Please use a rate limit of 5 requests per second when using automation.

Test plan

• Please test on the staging environment, then you must verify on the production environment,
• When assessing the backend, please run your scanners only on the staging environment,
• Register with your @wearehackerone.com email at https://app.krisp.ai/ and https://stage.app.krisp.ai/ for the production and staging environments accordingly,
• You can test the payment flow on the staging environment with Stripe and PayPal test cards,
• For other question refer to the help widget at https://account.krisp.ai, visit https://help.krisp.ai/ or email us at [email protected].

Main scope

• Latest version of Krisp windows application
• Latest version of Krisp mac application
• Our web apis and apps
  • https://account.krisp.ai
  • https://app.krisp.ai
  • https://api.krisp.ai
  • https://teams.krisp.ai
  • https://download.krisp.ai
  • https://analytics.krisp.ai
  • https://upld.krisp.ai

Secondary scope

• https://krisp.ai,
• *.krisp.ai,
• Any resource that is verified that belongs to us (verify with [email protected]),
• Leaks that have security impact (github, pastbin, etc),
• Misconfigurations in 3rd parties such as jobs.krisp.ai, whatsnew.krisp.ai, help.krisp.ai.

Rewards

All amounts are for reference purposes only. Reward applicability and reward amount may depend on problem severity, novelty, exploitation probability, environmental and other factors. Reward decision is made by Krisp security team for each report individually.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Vulnerabilities in 3rd parties (although we are eager to hear them and address those to the proper parties),
• Zero-day vulnerabilities that have had an official patch for less than 1 month may be awarded on a case by case basis,
• Bypassing free minutes limitation via changing frontend applications' logic, integrity,
• Ability to reverse-engineer an application, lack of binary protection,
• Clickjacking on pages with no sensitive actions,
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions (for example logout CSRFs),
• Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection, reflecting Origin) without demonstration of real security impact for user or system,
• Attacks requiring MITM or physical access to a user's device,
• Previously known vulnerable libraries without a working Proof of Concept,
• Comma Separated Values (CSV) injection without demonstrating a vulnerability,
• Missing best practices in SSL/TLS configuration,
• Network-level Denial of Service (DoS/DDoS) vulnerabilities,
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS,
• Rate limiting or bruteforce issues on non-authentication and non-sensitive endpoints ,
• Missing best practices in Content Security Policy,
• Missing HttpOnly or Secure flags on cookies,
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.),
• Missing DNSSEC,
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version],
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing,
• Issues that require unlikely user interaction,
• Issues that require edit/admin permissions will most likely be rated as low or closed.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Krisp and our users safe!