Security Program

Bug Bounty Program

Help us keep Kalipso secure. We value the security research community and reward responsible disclosure.

In Scope

  • Authentication and authorization vulnerabilities
  • Data exposure or leakage issues
  • Cross-site scripting (XSS) vulnerabilities
  • SQL injection and other injection attacks
  • Server-side request forgery (SSRF)
  • Remote code execution vulnerabilities
  • Business logic flaws with security impact

Out of Scope

  • Social engineering attacks on employees
  • Physical attacks on our infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Spam or social engineering via our forms
  • Vulnerabilities in third-party services
  • Issues requiring physical access to devices

Responsible Disclosure Guidelines

We ask that security researchers:

  • Report vulnerabilities as soon as they are discovered
  • Provide sufficient detail to reproduce the issue
  • Do not access or modify data belonging to other users
  • Do not perform actions that could harm our users or services
  • Allow reasonable time for us to address the issue before disclosure
  • Do not discuss the vulnerability publicly until we've resolved it

Rewards

We determine rewards based on the severity and impact of the vulnerability. Factors include:

  • Quality and clarity of the report
  • Potential impact on our users and platform
  • Complexity of the vulnerability
  • Your cooperation during the remediation process

Critical vulnerabilities may qualify for bounties up to €5,000. All valid reports will receive acknowledgment and, where appropriate, public credit.

Report a Vulnerability

Please send your security findings to our security team. Include as much detail as possible, including steps to reproduce, potential impact, and any proof-of-concept code.

[email protected]