Vulnerability Disclosure Program
In Kontent.ai, security has always been of great importance. Kontent.ai is committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. If you believe you’ve found a security issue in our system or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
When performing security testing, please adhere to the following guidelines:
- Notify us as soon as possible after you discover a real or potential security issue.
- Test vulnerabilities only on accounts you own or on accounts you have permission to test from the account holder.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Do not engage in any activity that would be disruptive, damaging, or harmful to Kontent.ai, its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially using automated tools.
- Do not test third-party websites, applications, or services that integrate with Kontent.ai services without their permission.
- Any illegal activity is prohibited.
- Do not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kontent.ai employees) or otherwise share vulnerabilities with a third party without the express written permission of Kontent.ai.
- Do not contact Kontent.ai Support by any means in relation to this program (pre-validating reports, testing them, asking for updates, etc.). Instead, please contact the Security Team according to the instructions below.
Qualifying issues
We’re particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- XSS resulting in access to sensitive data (e.g., session info)
- Insecure direct object reference resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality
Out of scope
We are not interested in the following types of issues:
- Attacks requiring physical access to a users device
- Phishing techniques
- Disclosure of known public files or directories (e.g., robots.txt)
- Missing DNS records (e.g., SSL CAA, DMARC, and SPF)
- Banner disclosure on common/public services
- HTTP/TLS configuration issues without demonstrable impact
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- CSP, Security header configuration suggestions
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- CSRF on forms that are available to anonymous users
- Username enumeration on login or forgot password pages
- Rate limit bypasses where throttling is not in place
- Unauthenticated cache purge
- API key disclosure without proven business impact
- Self-XSS that cannot be used to exploit other users
- Absence of password length limits
- Bypassing rate-limits or the non-existence of rate-limits
- Host header injection without proven business impact
- Attacks requiring man-in-the-middle or compromised user accounts
- Cookie bomb DoS
Scope
This policy applies to the following systems and services:
- Kontent.ai client → https://app.kontent.ai
- Management API v2 → https://manage.kontent.ai/v2
- Deliver API → https://deliver.kontent.ai
- Delivery GraphQL API → https://graphql.kontent.ai
- Presentation website → https://kontent.ai/
Any systems or services not expressly listed above are excluded from the scope and are not authorized for testing.
Issues reporting
Please contact us at security@kontent.ai. For secure communication, use our PGP key. If you find multiple issues, please report them separately. We will keep you up to date on the progress towards remediation of issues we accept from you, and we ask you not to disclose the issue publicly without Kontent.ai’s prior written permission.
Legal terms
In connection with your participation in this program, you agree to comply with the Terms of Service and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kontent.ai reserves the right to change or modify the terms of this program at any time.
Safe harbor
Kontent.ai will not initiate a lawsuit or law enforcement investigation against you in response to reporting a vulnerability if you fully comply with this policy.
Rewards
When you are the first to report to us a qualifying bug using the above-mentioned channel, you may be eligible for a reward, provided that the knowledge of the bug was not made publicly available by you or a third person. Rewards are based on the severity of the reported bugs as determined by Kontent.ai based on Bugcrowd VRT at its sole discretion. Rewards are paid in the form of Amazon vouchers (or another form), in the amounts determined by Kontent.ai.
The reporter is responsible for any taxes due by you. There may be additional restrictions on your ability to participate in this program depending upon your local law and laws on international sanctions, embargoes, etc.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time, and the decision as to whether or not to pay out a reward is at our sole discretion.
- P1: $300
- P2: $150
- P3: $100
- P4: $20
- P5: $0
The severity of findings from the "Varies" category is determined exclusively by Kontent.ai security team.
Acknowledgments
We would like to thank all the researchers that help us improve the security of Kontent.ai’s products and websites.
| Name / Company | Bug type |
| Tushar Bhosale | |
| Oversecured Inc. |
Questions
If you have any concerns or are uncertain whether the security research is consistent with this policy, please contact security@kontent.ai before going any further.