If you believe you have found a security vulnerability on any of Safaricom’s products or services, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Please email findings to [email protected].

Please be aware we do not permit any reports to be publicly disclosed.

Should your submission be valid and impactful, we may invite you to join our private Bug Bounty Program on HackerOne.

Thank you.

Program Rules

We are committed to protecting the interests of security researchers and will do our best to ensure that we manage the confidentiality and integrity of this process. The rules below act as a guideline for the responsible disclosure process: • Research should be performed only on systems listed under the systems that qualify for the Safaricom Bug bounty program. These are listed in the “Qualifying Systems” subsection. Any other systems including third parties’ systems are out of scope. • Submissions must be made exclusively through Safaricom’s vulnerability disclosure portal to be considered for a reward. • Communication regarding submissions must remain on the HackerOne platform for the duration of the disclosure process. • Actions which affect the integrity or availability of systems are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all activity and/or use of automated tools. • Submissions should have impact to the target’s security posture. Impact means the reported issue affects the target’s users, systems or data security in a meaningful way. Submitters may be asked to defend the impact in order to qualify for a reward. • Submissions may be closed if a researcher is non-responsive to requests for information after 30 days. • The existence or details of vulnerabilities must not be communicated to anyone who is not a Safaricom employee or an authorized employee of the organization responsible for the program. • Our security team and engineers must be able to reproduce the reported security flaw(s). Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. (Description/Type of vulnerability, List of affected URLs and/or affected parameters, The potential impact of the vulnerability, step-by-step instructions to reproduce the issue including any proof-of-concept or exploit code to reproduce Screenshots and/or videos illustrating the vulnerability). Do not share this video with anyone or post the video publicly, as this will violate our disclosure guidelines. • A violation of these rules may result in the invalidation of submissions, and forfeiture of all rewards, for current and future programs on the Safaricom platform. • We are unable to issue rewards to individuals who are on sanctions lists, cyber-related sanctions regulations, terror watchlist or who are either Safaricom or HackerOne employees/contractors or anyone who works for third parties contracted by Safaricom or HackerOne. • You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. • This is not a competition, but rather an experimental and discretionary rewards program. Safaricom PLC has the sole rights to cancel and/or suspend the program should we deem it ineffective at any time. It’s also worth to note that the decision as to whether to pay a reward is at Safaricom’s sole discretion. • Your testing must not violate any law, or disrupt or compromise any data that is owned by Safaricom PLC, its customers and/or third parties.

#Out of scope vulnerabilities Some submission types are excluded because they are dangerous to access, or because they have low security impact to the program owner. This section contains issues that Safaricom does not accept and will be immediately marked as invalid, and do not qualify for a reward. • Findings from physical testing such as office access (e.g. tailgating). • Findings derived primarily from social engineering (e.g. phishing). • Findings from applications or systems not listed in the qualifying systems section. • Functional, User Interface and User experience bugs and spelling mistakes. • Network level Denial of Service (DoS /DDoS) vulnerabilities.

Common "Non-qualifying" Submission Types

Some submission types do not qualify for a reward because they have low security impact to External facing Safaricom systems, and thus, do not trigger a code change. This section contains a listing of issues found to be commonly reproducible and reported, but are often ineligible. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact. These non-qualifying submission types include (but are not limited to): • Descriptive error messages. • HTTP 404 codes/pages or other HTTP non-200 codes/pages. • Disclosure of known public files or directories (e.g. robots.txt). • Weak Captcha / Captcha Bypass. • SSL Attacks such as BEAST, BREACH and Re-negotiation attacks. • SSL Forward secrecy not enabled. • SSL Insecure cipher suites. • Any activity that could lead to the disruption of our service e.g. denial of service attacks. • Clickjacking / UI Redressing attacks on pages with no sensitive actions. • Unauthenticated/logout/login CSRF. • Attacks requiring MITM or physical access to a user's device. • Previously known vulnerable libraries without a working Proof of Concept. • Comma Separated Values (CSV) injection without demonstrating impact. • Missing best practices in SSL/TLS configuration. • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS • Issues in third-party services/platforms that are beyond our control e.g. games.safaricom.com, e-learning-public.safaricom.co.ke etc • Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue. If an IP address is discovered to persistently and constantly use automated tools, that IP address shall be blocked • All brute-force attacks • XSS that affects only outdated browsers • RXSS issues will not be awarded unless the impact is demonstrated • PHP info page will not be awarded without demonstrating the impact • Host header and banner grabbing issues • Missing HTTP security headers and cookie flags on insensitive cookies • Open redirects - unless they can be used for actively stealing tokens • User enumeration such as User email, User ID • Phishing / Spam (including issues related to SPF/DKIM/DMARC) • Missing security best practices (e.g. account lockout, captcha.) • Session fixation and session timeout • Any bugs or issues related to third parties or vendors e.g. Cisco, Oracle, Microsoft etc... • Vulnerabilities affecting UAT/PoC/test/pre-prod systems • Vulnerabilities already known to Safaricom internal security team • OPTIONS / TRACE HTTP method enabled. • Banner disclosure on common/public services • All systems explicitly listed as “Out of Scope” in the program policy.

Disclosures on Zero Day vulnerabilities

At Safaricom, we carry out periodic patching of our systems to safeguard them against emerging vulnerabilities including Zero-day and other CVE vulnerabilities. Responsible vulnerability disclosures will be considered for bounty awards after a minimum of 30 days from the day the vulnerability is announced.