Ready to offer staking & DeFi? Explore the Kiln Widget
Learn more →
Products
Open-source
Restaking
dApp
Enterprise Dashboard
Validators
Connect
On-Chain
DeFi
Enterprise Dashboard
New
The most comprehensive web dashboard for you and your users to track your Earn program
New
New
New
New
New
New
Validators
New
Enterprise-grade Validators-as-a-Service on all PoS chains
New
New
New
New
New
New
Widget
New
Create and manage your earn section with a no-code solution
New
New
New
New
New
New
Onchain
New
Whitelabelled, customisable ETH staking. Offer dedicated or pooled staking, with or without an LST
Onchain
Dedicated Validators
New
Deploy validators from 32+ ETH
Tokenized Validators
New
Tokenize validators as NFTs for increased liquidity
Staking Pool
New
Offer staking for less than 32 ETH
Liquid Staking Pool
New
Provide native staking via a custom liquid staking token
Onchain Explorer
New
View and monitor contracts deployed on the platform
New
DeFi
New
Monetize access to DeFi yields
New
New
New
New
New
New
Connect
New
One SDK for staking, rewards and more on all protocols
Connect
Reporting API
New
Improve tracking with real time data and reporting
Transaction Crafting API
New
Simplify staking and unstaking transactions on all PoS
New
New
New
New
Restaking & BTC Staking
New
Restake DPoS assets, and offer white-label restaking on your platform or stake BTC
Restaking & BTC Staking
Ethereum restaking
New
Restake staked ETH and LSTs or offer whitelabel restaking
Bitcoin staking
New
Enable using BTC as economic security
New
New
New
New
dApp
New
1-click ETH (re)staking with the lowest fees
New
New
New
New
New
New
Open-source
New
Kiln's open-source contributions
Open source
Bageth.xyz
New
Navigate Kiln Connect effortlessly for quick validator queries and real-time staking info
Minitel.wtf
New
Decode hexadecimal raw transactions into JSON
Ethereum Validator Watcher
New
Monitor your Ethereum-based validators
Cosmos Validator Watcher
New
Monitor your Cosmos-based validators
Near Validator Watcher
New
Monitor your Near-based validators
Cardano Validator Watcher
New
Monitor your Cardano-based validators
Solutions
USE CASES
Custodians
ETP issuers
Exchanges
Treasury managers
Wallets
Data providers
STORIES
VanEck
Safe
Trust
Ledger Earn
CoolWallet
SwissBorg
Komainu
BitGo
Fireblocks
Bitpanda
Ledger Live
Flowdesk
SCRYPT Digital
Protocols
STAKING
Algorand
Coming soon
Aptos
Coming soon
Atom
Coming soon
Avalanche
Coming soon
Babylon
Coming soon
Botanix
Coming soon
Canton
Coming soon
Cardano
Coming soon
Celestia
Coming soon
Core Chain
Coming soon
Cronos
Coming soon
EigenLayer
Coming soon
Ethereum
Coming soon
Fetch.ai
Coming soon
Flare
Coming soon
Harmony
Coming soon
Hyperliquid
Coming soon
IOTA
Coming soon
Injective
Coming soon
Kava
Coming soon
Kusama
Coming soon
Lombard
Coming soon
Mantra
Coming soon
Mezo
Coming soon
Monad
Coming soon
MultiversX
Coming soon
Near
Coming soon
Oasis
Coming soon
Osmosis
Coming soon
Polkadot
Coming soon
Polygon
Coming soon
RSS3
Coming soon
Sei
Coming soon
Solana
Coming soon
Stacks
Coming soon
Starknet
Coming soon
Story
Coming soon
Sui
Coming soon
Symbiotic
Coming soon
Tezos
Coming soon
Ton
Coming soon
Tron
Coming soon
Zetachain
Coming soon
dYdX
Coming soon
DEFI
Aave
Coming soon
Angle
Coming soon
Compound
Coming soon
Fluid
Coming soon
Frax
Coming soon
Kinetic
Coming soon
Morpho
Coming soon
Sky
Coming soon
Spark
Coming soon
Venus
Coming soon
Zerolend
Coming soon
Company
About
Blog
Careers
Events
Newsroom
Podcasts
Reports
Ventures
New
Docs
Enterprise Dashboard
1-click staking administration interface for your team
Validators
Dedicated or shared validators
Widget
New
Create and manage your earn section with a no-code solution
Onchain
Smart contracts for seamless ETH staking
DeFi
Earn rewards from DeFi protocols on all assets, for you and your users
Connect
One SDK for staking, rewards and more on all protocols
dApp
Stake your ETH without permission for maximum rewards
Learn More(re)stake ETH
Products
Enterprise Dashboard
New
The most comprehensive web dashboard for you and your users to track your Earn program
Validators
New
Enterprise-grade Validators-as-a-Service on all PoS chains
Widget
New
Create and manage your earn section with a no-code solution
Onchain
New
Whitelabelled, customisable ETH staking. Offer dedicated or pooled staking, with or without an LST
DeFi
New
Monetize access to DeFi yields
Connect
New
One SDK for staking, rewards and more on all protocols
Restaking & BTC Staking
New
Restake DPoS assets, and offer white-label restaking on your platform or stake BTC
dApp
New
1-click ETH (re)staking with the lowest fees
Open-source
New
Kiln's open-source contributions
Dedicated Validators
New
Deploy validators from 32+ ETH
Tokenized Validators
New
Tokenize validators as NFTs for increased liquidity
Staking Pool
New
Offer staking for less than 32 ETH
Liquid Staking Pool
New
Provide native staking via a custom liquid staking token
Onchain Explorer
New
View and monitor contracts deployed on the platform
New
Reporting API
New
Improve tracking with real time data and reporting
Transaction Crafting API
New
Simplify staking and unstaking transactions on all PoS
New
New
New
New
Ethereum restaking
New
Restake staked ETH and LSTs or offer whitelabel restaking
Bitcoin staking
New
Enable using BTC as economic security
New
New
New
New
Bageth.xyz
New
Navigate Kiln Connect effortlessly for quick validator queries and real-time staking info
Minitel.wtf
New
Decode hexadecimal raw transactions into JSON
Ethereum Validator Watcher
New
Monitor your Ethereum-based validators
Cosmos Validator Watcher
New
Monitor your Cosmos-based validators
Near Validator Watcher
New
Monitor your Near-based validators
Cardano Validator Watcher
New
Monitor your Cardano-based validators
Solutions
USE CASES
Custodians
ETP issuers
Exchanges
Treasury managers
Wallets
Data providers
STORIES
VanEck
Safe
Trust
Ledger Earn
CoolWallet
SwissBorg
Komainu
BitGo
Fireblocks
Bitpanda
Ledger Live
Flowdesk
SCRYPT Digital
Protocols
STAKING
Algorand
Coming soon
Aptos
Coming soon
Atom
Coming soon
Avalanche
Coming soon
Babylon
Coming soon
Botanix
Coming soon
Canton
Coming soon
Cardano
Coming soon
Celestia
Coming soon
Core Chain
Coming soon
Cronos
Coming soon
EigenLayer
Coming soon
Ethereum
Coming soon
Fetch.ai
Coming soon
Flare
Coming soon
Harmony
Coming soon
Hyperliquid
Coming soon
IOTA
Coming soon
Injective
Coming soon
Kava
Coming soon
Kusama
Coming soon
Lombard
Coming soon
Mantra
Coming soon
Mezo
Coming soon
Monad
Coming soon
MultiversX
Coming soon
Near
Coming soon
Oasis
Coming soon
Osmosis
Coming soon
Polkadot
Coming soon
Polygon
Coming soon
RSS3
Coming soon
Sei
Coming soon
Solana
Coming soon
Stacks
Coming soon
Starknet
Coming soon
Story
Coming soon
Sui
Coming soon
Symbiotic
Coming soon
Tezos
Coming soon
Ton
Coming soon
Tron
Coming soon
Zetachain
Coming soon
dYdX
Coming soon
DEFI
Aave
Coming soon
Angle
Coming soon
Compound
Coming soon
Fluid
Coming soon
Frax
Coming soon
Kinetic
Coming soon
Morpho
Coming soon
Sky
Coming soon
Spark
Coming soon
Venus
Coming soon
Zerolend
Coming soon
Company
About
Blog
Careers
Events
Newsroom
Podcasts
Reports
Ventures
New
Docs
Enterprise Dashboard
1-click staking administration interface for your team
Validators
Dedicated or shared validators
Widget
New
Create and manage your earn section with a no-code solution
Onchain
Smart contracts for seamless ETH staking
DeFi
Earn rewards from DeFi protocols on all assets, for you and your users
Connect
One SDK for staking, rewards and more on all protocols
dApp
Stake your ETH without permission for maximum rewards
Log inStake ETH

Vulnerability Disclosure Policy

A subset of our systems may also be eligible for bounties, lives by its own vulnerability disclosure policy, bounty program and can be found here:
Introduction
Authorization
Guidelines
Test methods
Scope
Rewards
Reporting a vulnerability
What we would like to see from you
What you can expect from us
Policy Updates
Questions
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Introduction


This Vulnerability Disclosure Policy outlines the process through which individuals can report vulnerabilities found within our systems, networks, or services. We recognize the value of the security community's efforts in helping us secure our services and are committed to addressing all reported vulnerabilities in a timely manner.

Smart contract bounties

For smart contracts vulnerabilities, Kiln operates dedicated programs with their own reward structure:

  • Kiln Onchain (v1) — https://cantina.xyz/bounties/607dd012-08ad-4080-bf4a-78dc1c28faa9
  • Kiln Onchain (v2) — https://cantina.xyz/bounties/185c683c-77e7-4b71-822d-95e1a98fee9e
  • Kiln DeFi — https://cantina.xyz/bounties/c9a4b51b-2e80-4713-a06f-13524c530fa6

The rest of this policy focuses on the scope detailed further down.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Kiln will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, "research" means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following testing and reporting activities are strictly prohibited:

  • Destructive Testing: Any form of testing that disrupts, damages, or degrades the usability of our systems, services, or data.
  • Unauthorized Access to Data: Accessing, downloading, modifying, or deleting data from Kiln systems or services that the researcher does not own.
  • Social Engineering: Any form of testing involving deception or manipulation of our employees, contractors, or users.
  • Denial of Service: Executing any form of attack that degrades, disables, or interrupts service availability.

Scope

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

The following hostnames are included in the scope:

  • kiln.fi
  • dashboard.kiln.fi
  • gateway.kiln.fi
  • ledger-live-app.kiln.fi
  • ledger-vault-gateway.kiln.fi
  • vault.kiln.fi
  • sqlpad.kiln.fi
  • api.kiln.fi
  • stake.kiln.fi
  • widget.kiln.fi
  • *.thegraph.kiln.fi


Any service not expressly listed above, such as any connected services, are excluded from scope
and are not authorized for testing.

‍

If a vulnerability is specific to the vendor’s platform or infrastructure, researchers are encouraged to report it directly to the vendor in accordance with their disclosure policy.

‍

Depending on the nature of the vulnerability and its impact on our systems, we reserve the right to determine whether a reward will be issued. For example, if the issue is entirely outside our control or requires resolution by the vendor, the reward may not be paid.

‍
If you aren't sure whether a system is in scope or not, contact us at security@kiln.fi before starting your research.
‍

‍
We appreciate your efforts to help us improve our security. However, the following issues are considered out of scope for this program and will not be eligible for rewards. These exclusions include known issues, accepted risks, or areas not prioritized for this program:

  • Public Information and Configuration Details:
    • Disclosure of known public files or directories (e.g., robots.txt or .well-known directories).
    • Banner disclosures on public or common services.
    • DNSSEC, SPF, DKIM, and DMARC issues without exploitable impact.
    • Presence of open ports or standard services without a demonstrable security impact.
  • Web Security Headers and Client-Side Issues:
    • Missing or misconfigured browser security headers (e.g., HSTS, CSP).
    • Vulnerabilities related to browser behavior, such as cached pages being accessible after logout via the browser back button.
    • Clickjacking vulnerabilities (e.g., missing X-Frame-Options headers).
    • Cookie flags.
  • Authentication and Rate Limiting:
    • Brute-force or credential-stuffing attacks.
    • Lack of rate-limiting or velocity throttling for endpoints.
    • Denial-of-service attacks (application-level or network-level).
  • Forms and User Interactions:
    • CSRF on forms available to anonymous or unauthenticated users.
    • HTML injection unless demonstrable escalation to directly exploitable XSS is possible.
    • XSS or behaviors where the user can only attack themselves.
  • File Uploads and Attachments:
    • Malicious attachments or files that require manual intervention for exploitation.
    • File uploads without exploitable impact (e.g., uploads restricted to non-executable file types).
  • Low-Impact Information Disclosures:
    • Non-sensitive information disclosure (e.g., metrics, version numbers, or error messages without exploitable paths).
  • Social Engineering and User Behaviour:
    • Phishing or other social engineering techniques against Kiln employees or users.

Rewards

Kiln may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us while adhering to this policy. We will determine the amount of the reward, if any, at our own discretion based on various parameters, such as the severity of the vulnerability, its impact, as well as the quality of the report. All decisions are final.

We will reward you for the following types of vulnerabilities (except where noted otherwise in our Testing Exclusions and bounty ineligible section):
Severity
Estimated bounty
Exemple issues
Critical with fund loss
Reward amount is 10% of the funds directly affected up to a maximum of $100,000
Major fund loss through any mean (excluding smart contracts, for this visit our Immunefi page)
Critical
Up to $20,000
Remote access to execute arbitrary code on the server, leading to full control of server operations, jeopardizing system integrity and data.SQL injection: full database compromise, including unauthorized data manipulation or leakage.Access to cloud infrastructure: exploiting a misconfigured IAM policy to gain unauthorized access to critical cloud resources (e.g., virtual machines, storage buckets).Etc.
High
Up to $8,000
Significant broken authentication or session hijacking, privilege escalation on critical functionality, etc.
Medium
Up to $2,500
Access control bypass, privilege escalation, reflective XSS, stored XSS, CSRF, open URL redirection, directory traversal, subdomain takeovers of in-scope domains, etc.
Low
Up to $1,000
Sensitive information leakage (metrics excluded), incorrect API access controls, etc.

Duplicate reports will not be rewarded. If multiple researchers report the same issue, we will reward only the first valid submission based on the time of receipt. However, we encourage researchers to include detailed PoCs and exploitation scenarios to help distinguish their reports.

‍
You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by law from making payments, such as the US Sanction Lists, are ineligible for rewards.

Reporting a vulnerability

We accept vulnerability reports at security@kiln.fi. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 5 business days.

‍

All reports concerning high severity vulnerability and above are required to be encrypted using our PGP public key:

‍

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ3gFeRYJKwYBBAHaRw8BAQdAsrIChTFT1U1baaXlaNeuJvrDPhUfVgoWmj9R
INRUVwC0F0tpbG4gPHNlY3VyaXR5QGtpbG4uZmk+iJkEExYKAEEWIQSxNiHvaGwS
jQAWDT0UWUrt5opevwUCZ3gFeQIbAwUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgID
AQIeBwIXgAAKCRAUWUrt5opev0fzAQDYYWdZ5GNvWts/gHJyURSfWn/G+JeF5rFw
2WwnLCP17QEA3MOh7R929hRj2R7265iihdx9RxxfbGrfA0HGZerGtgS4OARneAV5
EgorBgEEAZdVAQUBAQdA2jSzDMFEysMJg7Ut2FwIwSMEiKDMd6vG9+qrK28lJhQD
AQgHiH4EGBYKACYWIQSxNiHvaGwSjQAWDT0UWUrt5opevwUCZ3gFeQIbDAUJA8Jn
AAAKCRAUWUrt5opev64oAP9evUIs/6adaO+3kYxJgwVk9FDukrUBtcZBkKjHuNDb
UQD/SDf9aCOzKWY5yujiJT6J2jjbVbmgRsUKuvftNM6Xbg0=
=H7aW
-----END PGP PUBLIC KEY BLOCK-----

What we would like to see from you

In order to help us triage and prioritize submissions, we require that your reports:

  • Include a full proof-of-concept.
  • Describe the location the vulnerability was discovered and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, screenshots and videos are helpful).
  • Not be shared publicly without obtaining permission from us first, and never without suitably redacting sensitive information, including but not limited to IP addresses, full paths to endpoints, and PII (personal identifiable information).
  • Don’t hesitate to add details about your security credentials and track record.
  • Be in English, if possible.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 5 business days, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.

Policy Updates

This policy is subject to periodic review and may be updated or modified at any time by Kiln without prior notice.

Questions

Questions regarding this policy may be sent to security@kiln.fi. We also invite you to contact us with suggestions for improving this policy.

Products
  • Kiln Enterprise Dashboard
  • Kiln Validators
  • Kiln Widget
  • Kiln Onchain
  • Kiln DeFi
  • Kiln Connect
  • Kiln Restaking and Bitcoin Staking
  • Kiln dApp
  • Open Source
Solutions
  • Custodians
  • ETP Issuers
  • Exchanges
  • Treasury Managers
  • Wallets
  • Data providers
Protocols
  • Ethereum
  • EigenLayer
  • Solana
  • Dymension
  • Cardano
  • Sui
  • Aptos
  • Near
  • Polygon
  • Polkadot
  • Injective
  • Avalanche
  • Celestia
  • Atom
  • Tezos
  • Tron
  • Kusama
  • MultiversX
  • Osmosis
  • Harmony
  • Kava
  • Cronos
  • dYdX
  • Evmos
  • Fantom
  • Flare
  • Flow
  • Oasis
  • OKX
  • Sei
  • The Graph
  • ZetaChain
  • Babylon
  • Fetch
  • Stacks
  • Core Chain
  • Botanix
  • Threshold
  • Fetch
  • Ton
Aave
Algorand
Angle
Aptos
Atom
Avalanche
Babylon
Botanix
Canton
Cardano
Celestia
Compound
Core Chain
Cronos
EigenLayer
Ethereum
Fetch.ai
Flare
Fluid
Frax
Harmony
Hyperliquid
IOTA
Injective
Kava
Kinetic
Kusama
Lombard
Mantra
Mezo
Monad
Morpho
MultiversX
Near
Oasis
Osmosis
Polkadot
Polygon
RSS3
Sei
Sky
Solana
Spark
Stacks
Starknet
Story
Sui
Symbiotic
Tezos
Ton
Tron
Venus
Zerolend
Zetachain
dYdX
Company
  • About
  • Blog
  • Careers
  • Contact
  • Events
  • Newsroom
  • Newsletter
  • Podcasts
  • Reports
Docs
  • Security
  • Service status
  • Support
  • Bug bounty
  • Brand pack
Legal
  • Legal & Privacy
  • Terms and Conditions
  • Vulnerability Disclosure Policy
  • Privacy Policy
  • Website Terms of Use
Sign up for our Newsletter
Kiln respects your privacy. By submitting this form you are acknowledging that you have read and agree to our Privacy Policy, which details how we collect and use your information.
Copyright © Kiln 2025
Kiln is SOC 2 certified, as audited by Insight Assurance
* Please note that rewards rates for staking are pre-determined and regulated by the rules of the relevant open-source blockchain protocol code. While the rewards rate is fixed, rewards are only guaranteed to validators that properly batch transactions into new blocks according to the protocol's rules and, in some cases, for verifying the work of other validators on the network. It is important to note that there are risks associated with staking, including the possibility of slashing penalties which may result in the loss of a portion of the staked assets. However, at Kiln, we offer slashing coverage to help mitigate the impact of this risk. It is important to thoroughly understand the risks and rewards associated with staking before participating in any staking activities.
×
×
×
×
×
×
×