Vulnerability Disclosure Policy

Introduction

This Vulnerability Disclosure Policy outlines the process through which individuals can report vulnerabilities found within our systems, networks, or services. We recognize the value of the security community's efforts in helping us secure our services and are committed to addressing all reported vulnerabilities in a timely manner.

Smart contract bounties

For smart contracts vulnerabilities, Kiln operates dedicated programs with their own reward structure:

The rest of this policy focuses on the scope detailed further down.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Kiln will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, "research" means activities in which you:

Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
Do not submit a high volume of low-quality reports.

Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following testing and reporting activities are strictly prohibited:

Destructive Testing: Any form of testing that disrupts, damages, or degrades the usability of our systems, services, or data.
Unauthorized Access to Data: Accessing, downloading, modifying, or deleting data from Kiln systems or services that the researcher does not own.
Social Engineering: Any form of testing involving deception or manipulation of our employees, contractors, or users.
Denial of Service: Executing any form of attack that degrades, disables, or interrupts service availability.

Scope

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

The following hostnames are included in the scope:

kiln.fi
dashboard.kiln.fi
gateway.kiln.fi
ledger-live-app.kiln.fi
ledger-vault-gateway.kiln.fi
vault.kiln.fi
sqlpad.kiln.fi
api.kiln.fi
stake.kiln.fi
widget.kiln.fi
*.thegraph.kiln.fi

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.

‍

If a vulnerability is specific to the vendor’s platform or infrastructure, researchers are encouraged to report it directly to the vendor in accordance with their disclosure policy.

‍

Depending on the nature of the vulnerability and its impact on our systems, we reserve the right to determine whether a reward will be issued. For example, if the issue is entirely outside our control or requires resolution by the vendor, the reward may not be paid.

‍
If you aren't sure whether a system is in scope or not, contact us at security@kiln.fi before starting your research.
‍

‍
We appreciate your efforts to help us improve our security. However, the following issues are considered out of scope for this program and will not be eligible for rewards. These exclusions include known issues, accepted risks, or areas not prioritized for this program:

Public Information and Configuration Details:
- Disclosure of known public files or directories (e.g., robots.txt or .well-known directories).
- Banner disclosures on public or common services.
- DNSSEC, SPF, DKIM, and DMARC issues without exploitable impact.
- Presence of open ports or standard services without a demonstrable security impact.
Web Security Headers and Client-Side Issues:
- Missing or misconfigured browser security headers (e.g., HSTS, CSP).
- Vulnerabilities related to browser behavior, such as cached pages being accessible after logout via the browser back button.
- Clickjacking vulnerabilities (e.g., missing X-Frame-Options headers).
- Cookie flags.
Authentication and Rate Limiting:
- Brute-force or credential-stuffing attacks.
- Lack of rate-limiting or velocity throttling for endpoints.
- Denial-of-service attacks (application-level or network-level).
Forms and User Interactions:
- CSRF on forms available to anonymous or unauthenticated users.
- HTML injection unless demonstrable escalation to directly exploitable XSS is possible.
- XSS or behaviors where the user can only attack themselves.
File Uploads and Attachments:
- Malicious attachments or files that require manual intervention for exploitation.
- File uploads without exploitable impact (e.g., uploads restricted to non-executable file types).
Low-Impact Information Disclosures:
- Non-sensitive information disclosure (e.g., metrics, version numbers, or error messages without exploitable paths).
Social Engineering and User Behaviour:
- Phishing or other social engineering techniques against Kiln employees or users.

Rewards

Kiln may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us while adhering to this policy. We will determine the amount of the reward, if any, at our own discretion based on various parameters, such as the severity of the vulnerability, its impact, as well as the quality of the report. All decisions are final.

We will reward you for the following types of vulnerabilities (except where noted otherwise in our Testing Exclusions and bounty ineligible section):

Severity

Estimated bounty

Exemple issues

Critical with fund loss

Reward amount is 10% of the funds directly affected up to a maximum of $100,000

Major fund loss through any mean (excluding smart contracts, for this visit our Immunefi page)

Critical

Up to $20,000

Remote access to execute arbitrary code on the server, leading to full control of server operations, jeopardizing system integrity and data.SQL injection: full database compromise, including unauthorized data manipulation or leakage.Access to cloud infrastructure: exploiting a misconfigured IAM policy to gain unauthorized access to critical cloud resources (e.g., virtual machines, storage buckets).Etc.

High

Up to $8,000

Significant broken authentication or session hijacking, privilege escalation on critical functionality, etc.

Medium

Up to $2,500

Access control bypass, privilege escalation, reflective XSS, stored XSS, CSRF, open URL redirection, directory traversal, subdomain takeovers of in-scope domains, etc.

Low

Up to $1,000

Sensitive information leakage (metrics excluded), incorrect API access controls, etc.

Duplicate reports will not be rewarded. If multiple researchers report the same issue, we will reward only the first valid submission based on the time of receipt. However, we encourage researchers to include detailed PoCs and exploitation scenarios to help distinguish their reports.

‍You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the US Sanction Lists, are ineligible for rewards.

Reporting a vulnerability

We accept vulnerability reports at security@kiln.fi. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.

‍

All reports concerning high severity vulnerability and above are required to be encrypted using our PGP public key:

‍

What we would like to see from you

In order to help us triage and prioritize submissions, we require that your reports:

Include a full proof-of-concept.
Describe the location the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, screenshots and videos are helpful).
Not be shared publicly without obtaining permission from us first, and never without suitably redacting sensitive information, including but not limited to IP addresses, full paths to endpoints, and PII (personal identifiable information).
Don’t hesitate to add details about your security credentials and track record.
Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

Within 5 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.

Policy Updates

This policy is subject to periodic review and may be updated or modified at any time by Kiln without prior notice.

Questions

Questions regarding this policy may be sent to security@kiln.fi. We also invite you to contact us with suggestions for improving this policy.