White Hat Policy
We value security researchers who help us keep our platform secure. Report vulnerabilities responsibly and get rewarded.
Our Commitment
Kobana encourages security researchers to report vulnerabilities responsibly. We investigate all legitimate reports and commit to remedying identified issues.
We will not take legal action against researchers who follow the responsible disclosure guidelines described in this policy.
Responsible Disclosure Policy
To receive legal protection, researchers must follow these guidelines
Allow reasonable time for investigation before publicly disclosing or sharing vulnerability details
Obtain authorization before accessing individual accounts or customer data
Minimize damage to other customers by avoiding data destruction or service interruption
Do not exploit discovered vulnerabilities for any purpose
Comply with all applicable laws and regulations
Reward Structure
Rewards based on vulnerability severity and impact
| Vulnerability Type | Reward |
|---|---|
Non-security related bugs Functional issues without security impact | Not applicable |
Unprotected private data Exposure of data that should be protected | R$ 500 - R$ 1,000 |
Access to LGPD protected data Vulnerabilities that allow access to personal data | R$ 1,000 - R$ 5,000 |
Complete access to Kobana data Critical full access vulnerabilities | R$ 5,000+ |
Charity donations
Donations to charities or NGOs receive double rewards. The invoice must be sent within 10 days after approval for payment processing.
Covered Assets
The program covers the following Kobana domains and services
Website
www.kobana.com.br
Application
app.kobana.com.br, app-sandbox.kobana.com.br
API
api.kobana.com.br, api-sandbox.kobana.com.br
Hosting
bole.to, kdoc.to
Customer portal
portal.bole.to
Payment link
checkout.kobana.com.br
Third-party services are not covered by the program.
Ineligible Reports
The following types of reports are not eligible for reward
Social engineering, spam or DDoS attacks
Content insertion, except if demonstrating considerable risk
Vulnerabilities in third-party integrations
Scripts on sandbox domains
Vulnerabilities requiring physical access to user device
Vulnerabilities in outdated software not in use
Send security reports exclusively to the email below. Do not contact employees directly.
whitehat@kobana.com.brGuidelines for a good report:
- Detail reproduction steps with URLs and user IDs
- Provide clear descriptions of the account used
- Prioritize clarity over quantity of information
- Videos should be short, readable (480p+), with written descriptions
- Include the potential impact of the vulnerability
- Do not share details with third parties before the fix
Eligibility Requirements
To be eligible, you must:
- Comply with the responsible disclosure policy
- Report real security bugs that create privacy/security risks
- Focus on products within the program scope
- Exclude ineligible vulnerability types
Payment process:
- Report validation by the security team
- Severity classification and reward definition
- Invoice submission within 10 days after approval
- Payment processing after invoice receipt
Found a vulnerability?
Report responsibly and help keep Kobana secure for everyone.