White Hat Policy
We value security researchers who help us keep our platform secure. Report vulnerabilities responsibly and get rewarded.
Our Commitment
Kobana encourages security researchers to report vulnerabilities responsibly. We investigate all legitimate reports and commit to remedying identified issues.
We will not take legal action against researchers who follow the responsible disclosure guidelines described in this policy.
Responsible Disclosure Policy
To receive legal protection, researchers must follow these guidelines
Allow reasonable time for investigation before publicly disclosing or sharing vulnerability details
Obtain authorization before accessing individual accounts or customer data
Minimize damage to other customers by avoiding data destruction or service interruption
Do not exploit discovered vulnerabilities for any purpose
Comply with all applicable laws and regulations
Reward Structure
Different ranges depending on whether the report demonstrates real or only potential harm
Real harm
Material impact demonstrated within the responsible disclosure policy — for example, real personal data exposed, a valid production token reused, an account compromised or an end-to-end exploit chain reproduced in production.
Potential harm
Reproducible vector and correct technical analysis, but no material impact realized — for example, tests with synthetic data, metadata without PII or a chain that depends on an additional unverified assumption.
| Vulnerability Type | Real harm | Potential harm |
|---|---|---|
Non-security related bugs Functional issues without security impact | Not applicable | Not applicable |
Private data not protected by LGPD Exposure of private data outside LGPD scope | US$ 100 - US$ 200 | US$ 50 - US$ 100 |
Access to LGPD protected data Vulnerabilities that allow access to personal data | US$ 200 - US$ 1,000 | US$ 100 - US$ 500 |
Access to all Kobana data Critical full access vulnerabilities | US$ 1,000+ | US$ 500+ |
Ex-gratia reward
For real findings with low exploitability or outside the financial ranges above, we may pay an ex-gratia reward starting at US$ 50 as recognition of the contribution, without setting a precedent for future cases.
Charity donations
Donations to charities or NGOs (subject to Kobana approval) receive double rewards. The invoice must be sent within 10 days after approval for payment processing.
Covered Assets
Any subdomain of the domains below, including production and sandbox environments
Primary domain
*.kobana.com.br
Boleto hosting
*.bole.to
Document hosting
*.kdoc.to
Third-party services are not covered by the program.
Ineligible Reports
The following types of reports are not eligible for reward
Social engineering, spam or DDoS attacks
Content insertion, except if demonstrating considerable risk
Sending messages to anyone at Kobana
Vulnerabilities in third-party integrations
Scripts on sandbox domains
Vulnerabilities requiring physical access to user device
Vulnerabilities in outdated software not in use
Send security reports exclusively to the email below. Do not contact employees directly.
whitehat@kobana.com.brGuidelines for a good report:
- Detail reproduction steps with URLs and user IDs
- Provide clear descriptions of the account used
- Prioritize clarity over quantity of information
- Videos should be short, readable (480p+), with written descriptions
- Include the potential impact of the vulnerability
- Do not share details with third parties before the fix
Eligibility Requirements
To be eligible, you must:
- Comply with the responsible disclosure policy
- Report real security bugs that create privacy/security risks
- Focus on products within the program scope
- Exclude ineligible vulnerability types
Payment process:
- Report validation by the security team
- Severity classification and reward definition
- Invoice submission within 10 days after approval
- Payment processing after invoice receipt
Found a vulnerability?
Report responsibly and help keep Kobana secure for everyone.