Bug Bounty Program

Rules of engagement

By submitting reports or otherwise participating in this program, you agree that you have read and will follow this program's Rules and Legal Terms that you can find below

Program rules

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.

  • Test vulnerabilities only on accounts that you own or on accounts that you have permission to test from the account holder.
  • Never use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
  • Researchers are not authorized and must not engage in any activity that would be disruptive, damaging or harmful to Kentico Group, its brands or its users. This includes social engineering, unsolicited messages, phishing, physical security and any type of denial-of-service attacks, especially automatic tools, against users, employees, or Kentico Group as a whole.
  • Abide by the program scope. Only reports submitted to this program and on assets in scope will be eligible for a monetary award.
  • Testing third party websites, applications or services that integrate with Kentico Xperience services are not allowed.
  • Any illegal activity (unless it is illegal to do security research, in which case go right ahead) is prohibited.
  • Researchers must not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kentico Xperience employees), or otherwise share vulnerabilities with a third party, without the express written permission of Kentico Group.
  • Contacting Kentico Xperience Support by any means in relation to this bounty program (pre-validating reports, testing them, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.

Legal terms

In connection with your participation in this program, you agree to comply with the Kentico Group Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kentico Group reserves the right to change or modify the terms of this program at any time.

Safe harbor

Kentico Group will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.

Scope

Application: Kentico Xperience (Download free 14-day DXP Trial)

Supported development models: ASP.NET Core, ASP.NET MVC 5

Web projects: Xperience Administration application and Dancing Goat sample site

Rewards

You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity as determined by Kentico Group at its sole discretion. Rewards are paid through Amazon vouchers in a certain amount and there are no other payment options such as PayPal or bank transfer.


Payout table

SeverityLowMediumHighCritical
Kentico Xperience$50 Amazon voucher$200 Amazon voucher$500 Amazon voucher$700 Amazon voucher


Exclusion

Kentico Group employees (including former employees that separated from Kentico within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and people living in the same household, are not eligible to receive bounties or rewards of any kind under any Kentico Xperience programs, whether hosted by Kentico Group or any third party.

Issues not to report

Below you can find a partial list of issues that you should not report unless you believe there is an actual vulnerability:

  • Attacks requiring physical access to a user's device
  • CSRF on forms that are available to anonymous users
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Domain Name System Security Extensions (DNSSEC) configuration suggestions
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS/CSP security header configuration suggestions
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Logout CSRF
  • Phishing or Social Engineering Techniques
  • Presence of application or web browser 'autocomplete' or 'save password' functionality
  • Sender Policy Framework (SPF) configuration suggestions

Kentico Xperience exclusions:

  • Vulnerabilities found in third party libraries
  • XSS injected into the HTML editor (Froala)
  • XSS in the widget configuration (Pages application)
  • Injecting malicious SQL or ASCX code by high privileged users (Site administrator and Global Administrator)
  • Marketplace extensions
  • Application settings, web.config and environment security misconfiguration

Issues reporting

If you believe you’ve found a security vulnerability in Kentico Xperience, we encourage you to let us know right away by emailing security+bugbounty@kentico.com (optionally using our PGP key). We ask you not to disclose the issue publicly until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.

Privacy settings

We use cookies to improve your user experience. To process some of them, we need your consent. You can "Accept all" or review cookies individually by selecting "Configure".

Configure

We're sorry, but your browser is currently not supported. Try using our website in other browsers like the new Microsoft Edge, Google Chrome, or Mozilla Firefox.
Should you have any query or want to report any issue, feel free to send us an email to support@kentico.com.