RESPONSIBLE DISCLOSURE POLICY
KMZ Cloud encourages the responsible disclosure of security vulnerabilities in our services or on our website. In order to facilitate the responsible disclosure of security vulnerabilities, we agree that if, in our sole discretion, we conclude that a disclosure meets all of the guidelines of the KMZ Cloud Bug Bounty Reward Program, KMZ Cloud will not bring any private or criminal legal action against the disclosing party.
BUG BOUNTY REWARD PROGRAM POLICY AND TERMS
Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep KMZ Cloud and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“PROGRAM TERMS”). By submitting a site or product vulnerability to KMZ Cloud you acknowledge that you have read and agreed to these PROGRAM TERMS.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
To be eligible for the Bug Bounty Program, you must not:
- Be in violation of any national, state, or local law or regulation;
- Be employed by KMZ Cloud or its subsidiaries;
- Be an immediate family member of a person employed by KMZ Cloud or its subsidiaries or affiliates; or
- Be less than 16 years of age. If you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.
- If KMZ Cloud discovers that you meet any of the criteria above, KMZ Cloud will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments
By providing a Submission or agreeing to the PROGRAM TERMS, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without KMZ Cloud’s prior written approval.
Failure to comply with the PROGRAM TERMS will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
KMZ Cloud will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible KMZ Clloud service. Eligible vulnerabilities include, but are not limited to:
- Authentication or authorization flaws, including insecure direct object references and authentication bypass
- Server-side or remote code execution (RCE)
- Injection vulnerabilities, including SQL and XML injection
- Directory Traversal
- Privilege Escalation
- Disclosure of sensitive or personally identifiable information
- Significant security misconfiguration with a verifiable vulnerability
- Exposed system credentials, disclosed by KMZ Cloud or its employees, that pose a valid risk to an in scope asset.
Any domain not listed in policy scope is out of scope for the purposes of the Bug Rewards Program, as is all hosted customer content and third-party programs and plug-ins.
The following actions do not qualify for the Bug Rewards Program and should not be tested by researchers participating in the Program:
- Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account
- Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Man-in-the-Middle attacks
- Any physical attacks against KMZ Cloud property or data centers
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Vulnerabilities involving stolen credentials or physical access to a device
- Phishing attacks
- Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
- Open redirection, except in the following circumstances:
- Clicking a KMZ Cloud-owned URL immediately results in an unexpected redirection and loss of sensitive data (e.g. session tokens, PII, etc)
- CRIME/BEAST attacks
- Logout CSRF
- Banner or version disclosures
- Missing SPF records
- Directory listing (unless sensitive data can be found)
- DoS, brute force, user enumeration or DDoS attacks
- Blackhat SEO techniques
- Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
- Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
- Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
- Any bug that relies upon an outdated browser
- Infrastructure vulnerabilities, including:
- Isues related to SSL certificates
- DNS configuration issues
- Server configuration issues (e.g. open ports, TLS versions, etc.)
- Bugs requiring exceedingly unlikely user interaction.
- Insecure password complexity requirements
- Email verification/validation issues
- Quality and business logic bugs which do not pose real risk and do not impact business and customers in a way which could lead to unauthorised access to data or systems, also when there is no possibility to take advantage of the bug to couse some sort of damage to company systems or data.
BUG SUBMISSIONS REQUIREMENTS
For all submissions, please include:
- Full description of the vulnerability being reported, including the exploitability and impact
- Evidence and explanation of all steps required to reproduce the submission, which may include:
- Videos or Step by step screenshots
- Exploit code
- Traffic logs
- Web/API requests and responses
- Email address or user ID of any test accounts
- IP address used during testing
- For RCE submissions, see below
Failure to include any of the above items may delay or jeopardize the Bounty Payment.
REMOTE CODE EXECUTION (RCE) SUBMISSIONS GUIDELINES:
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.
- Source IP address
- Timestamp, including time zone
- Full server request and responses
- Filenames of any uploaded files, which must include “bugbounty” and the timestamp
- Callback IP and port, if applicable
- Any data that was accessed, either deliberately or inadvertently
- Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
- Uploading a file that outputs the result of a hard-coded benign command
- Uploading files that allow arbitrary commands (i.e. a webshell)
- Modifying any files or data, including permissions
- Deleting any files or data
- Interrupting normal operations (e.g. triggering a reboot)
- Creating and maintaining a persistent connection to the server
- Intentionally viewing any files or data beyond what is needed to prove the vulnerability
- Failing to disclose any actions taken or applicable required information