Bug Bounty Program
Rules of engagement
By submitting reports or otherwise participating in this program, you agree that you have read and will follow this program's Rules and Legal Terms that you can find below
Program rules
Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.
- Test vulnerabilities only on accounts that you own or on accounts that you have permission to test from the account holder.
- Never use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Researchers are not authorized and must not engage in any activity that would be disruptive, damaging or harmful to Kentico Group, its brands or its users. This includes social engineering, unsolicited messages, phishing, physical security and any type of denial-of-service attacks, especially automatic tools, against users, employees, or Kentico Group as a whole.
- Abide by the program scope. Only reports submitted to this program and on assets in scope will be eligible for a monetary award.
- Testing third party websites, applications or services that integrate with Kentico Xperience services are not allowed.
- Any illegal activity (unless it is illegal to do security research, in which case go right ahead) is prohibited.
- Researchers must not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kentico Xperience employees), or otherwise share vulnerabilities with a third party, without the express written permission of Kentico Group.
- Contacting Kentico Xperience Support by any means in relation to this bounty program (pre-validating reports, testing them, asking for updates, etc.) is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
Legal terms
In connection with your participation in this program, you agree to comply with the Kentico Group Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kentico Group reserves the right to change or modify the terms of this program at any time.
Safe harbor
Kentico Group will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.
Scope
Application: Kentico Xperience (Download free 14-day DXP Trial)
Supported development models: ASP.NET Core, ASP.NET MVC 5
Web projects: Xperience Administration application and Dancing Goat sample site
Rewards
You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity as determined by Kentico Group at its sole discretion. Rewards are paid through Amazon vouchers in a certain amount and there are no other payment options such as PayPal or bank transfer.
Payout table
Severity | Low | Medium | High | Critical |
Kentico Xperience | $50 Amazon voucher | $200 Amazon voucher | $500 Amazon voucher | $700 Amazon voucher |
Exclusion
Kentico Group employees (including former employees that separated from Kentico within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and people living in the same household, are not eligible to receive bounties or rewards of any kind under any Kentico Xperience programs, whether hosted by Kentico Group or any third party.
Issues not to report
Below you can find a partial list of issues that you should not report unless you believe there is an actual vulnerability:
- Attacks requiring physical access to a user's device
- CSRF on forms that are available to anonymous users
- Disclosure of known public files or directories (e.g. robots.txt)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS/CSP security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Logout CSRF
- Phishing or Social Engineering Techniques
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- Sender Policy Framework (SPF) configuration suggestions
Kentico Xperience exclusions:
- Vulnerabilities found in third party libraries
- XSS injected into the HTML editor (Froala)
- XSS in the widget configuration (Pages application)
- Injecting malicious SQL or ASCX code by high privileged users (Site administrator and Global Administrator)
- Marketplace extensions
- Application settings, web.config and environment security misconfiguration
Issues reporting
If you believe you’ve found a security vulnerability in Kentico Xperience, we encourage you to let us know right away by emailing security+bugbounty@kentico.com (optionally using our PGP key). We ask you not to disclose the issue publicly until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.