Responsible Disclosure Policy
Akto Bug Bounty Program:
We have currently stopped our Bug Bounty Program temporarily.
Akto is committed to the safety and security of users on Akto. To recognize the importance of independent security researchers in keeping Akto safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.
We encourage anyone to report security issues to security@akto.io.
Program Rules:
Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below.
When duplicates occur, we award the first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
The amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
We welcome your feedback to continue improving our bug bounty program.
Rewards:
P1: $500
P2: $300
P3: $150
P4: Swag
P5: NA
In-scope:
https://hackme.app.akto.io/
Known Issues:
- Stored XSS (on the dashboard): On Hold until remediated
- SSRF: On Hold until remediated
Out-of-scope:
- *.akto.io
- WAF bypass
- Internal IP address disclosure
- Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .git ignore, etc.)
- Social engineering/phishing attacks
- Self XSS
- Text injection
- Email spoofing (including SPF, DKIM, DMARC,From: spoofing, and visually similar and related issues)
- Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)
- Fingerprinting/banner disclosure on common/public services
- Clickjacking and issues only exploitable through clickjacking
- CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
- Lack of Secure and HTTPOnly cookie flags(critical systems may still be in scope)
- Lack of rate limiting
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements
- HTTPS mixed content scripts
- Username/email enumeration by brute forcing/ error messages (e.g. login/signup / forgotten password)
- Exceptional cases may still be in scope (e.g.ability to enumerate email addresses via incrementing a numeric parameter)
- Missing HTTP security headers
- TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
- Denial of Service attacks
- Out-of-date software
- Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)