A subset of our systems may also be eligible for bounties, lives by its own vulnerability disclosure policy, bounty program and can be found here:
Introduction
This Vulnerability Disclosure Policy outlines the process through which individuals can report vulnerabilities found within our systems, networks, or services. We recognize the value of the security community's efforts in helping us secure our services and are committed to addressing all reported vulnerabilities in a timely manner.
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Kiln will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Guidelines
Under this policy, "research" means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods
The following testing and reporting activities are strictly prohibited:
- Destructive Testing: Any form of testing that disrupts, damages, or degrades the usability of our systems, services, or data.
- Unauthorized Access to Data: Accessing, downloading, modifying, or deleting data from Kiln systems or services that the researcher does not own.
- Social Engineering: Any form of testing involving deception or manipulation of our employees, contractors, or users.
- Denial of Service: Executing any form of attack that degrades, disables, or interrupts service availability.
Scope
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
The following hostnames are included in the scope:
- dashboard.kiln.fi
- gateway.kiln.fi
- ledger-live-app.kiln.fi
- ledger-vault-gateway.kiln.fi
- vault.kiln.fi
- sqlpad.kiln.fi
- api.kiln.fi
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any).
If you aren't sure whether a system is in scope or not, contact us at security@kiln.fi before starting your research.
The following items are known issues or accepted risks where we will not reward you:
- CSRF on forms that are available to anonymous users.
- Disclosure of known public files or directories (e.g. robots.txt).
- Banner disclosure on common/public services.
- Clickjacking.
- Cookie flags.
- DNSSEC, SPF, DKIM, DMARC issues.
- Malicious attachments on file uploads or attachments.
- Missing additional browser security controls, such as HSTS or CSP headers.
- Brute-force, Rate-limiting, Velocity throttling, and other denial of service based issues.
- XSS (or a behaviour) where you can only attack yourself.
- HTML Injection is an accepted risk unless you can escalate to XSS.
- Phishing or Social Engineering Techniques.
- Presence of application or web browser 'autocomplete' or 'save password' functionality.
Rewards
Kiln may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us while adhering to this policy. We will determine the amount of the reward, if any, at our own discretion based on various parameters, such as the severity of the vulnerability, its impact, as well as the quality of the report. All decisions are final.
We will reward you for the following types of vulnerabilities (except where noted otherwise in our Testing Exclusions and bounty ineligible section):
Remote Code Execution, SQL Injection
Significant Broken Authentication or Session Management, Stored XSS by Agents/End-users, CSRF and Privilege Escalation on critical functionality, etc.
Access Control Bypass, Privilege Escalation, Reflective XSS, Stored XSS by Admins, CSRF, Open URL Redirection, Directory Traversal, etc.
Information Leakage, Incorrect API access controls, subdomain takeovers of in-scope domains etc.
Duplicate reports will not be rewarded.
You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the
US Sanction Lists, are ineligible for rewards.
Reporting a vulnerability
We accept vulnerability reports at security@kiln.fi. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
We do not support PGP-encrypted emails. For particularly sensitive information, submit through our HTTPS web form.
What we would like to see from you
In order to help us triage and prioritize submissions, we require that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, screenshots and videos are helpful).
- Not be shared publicly without obtaining permission from us first, and never without suitably redacting sensitive information, including but not limited to IP addresses, full paths to endpoints, and PII (personal identifiable information).
- Don’t hesitate to add details about your security credentials and track record.
- Be in English, if possible.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
Policy Updates
This policy is subject to periodic review and may be updated or modified at any time by Kiln without prior notice.
Questions
Questions regarding this policy may be sent to security@kiln.fi. We also invite you to contact us with suggestions for improving this policy.