Skip to content

See Why Akeyless Is the #1 Alternative to HashiCorp Vault

AKEYLESS BUG BOUNTY PROGRAM TERMS

Last Updated: 28, May 2023

A bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. The Akeyless Bug Bounty program is a collaboration between Akeyless and security experts, world wide, aiming to continuously improve the security posture of the Akeyless’ services and SaaS platform vulnerability discovery methods available through bug bounty. Under the Akeyless Bug Bounty Program (“Program”) you may be entitled to a monetary reward for your efforts, subject to the Program terms and conditions (“Terms”) as detailed herein below. 

The Terms govern researchers’ applicability and eligibility, the requirements for submissions, the eligible targets, rewards and legal requirements.   

AKEYLESS RESERVES THE RIGHT, AT ITS OWN DISCRETION, TO MODIFY, CORRECT OR AMEND THE TERMS OF THE PROGRAM AT ANY TIME. THE MOST CURRENT VERSION OF THE PROGRAM TERMS WILL ALWAYS BE DISPLAYED ON THE AKEYLESS’ WEBSITE. AKEYLESS MAY PROVIDE YOU WITH A WRITTEN NOTIFICATION OR DISPLAY A NOTICE ON ITS WEBSITE, ALL AT ITS SOLE DISCRETION, IN THE EVENT THAT A MATERIAL CHANGE WAS MADE.

  1. Eligibility: 
    You are not eligible to participate in the Program if you are (i) currently, or have been an employee of Akeyless, or any of its affiliates, within 6 months prior to submitting a Report; (ii) currently, or have been under contract with Akeyless, or any of its affiliates, within 6 months prior to submitting a Report; or (iii) a family or household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above. Further, Akeyless’ partners, customers, service providers and any other related parties are not eligible for participation in this program.
    You must be at least 18 years old or have reached the age of majority in your jurisdiction of primary residence and citizenship to be eligible to receive any monetary compensation. Exceptions with respect to a minor’s participation in the Program may be considered on a case-by-case basis as between Akeyless and the applicable minor’s guardian(s).

  2. Eligible Targets:
    The Bug Bounty Program applies to security vulnerabilities found within Akeyless’ public-facing online environment. This includes Akeyless’ websites, SaaS environment and exposed APIs listed here:
  1. Submit Your Report: 
    If you have discovered a security issue or vulnerability please send us a report with all of the details of the security issue to our Akeyless Security Team via our Vulnerability Disclosure Page.
    In case you have found more than one vulnerability please report each vulnerability in a separate report. 

    Each report should include the following (“Report”):  
    1. Organisation and contact name; 
    2. Products or solutions affected; 
    3. Detailed description of the potential vulnerability, the impact you believe it has to the user, Akeyless or others, and any information about known exploits;  
    4. Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing, supporting technical details (such as system configuration, traces, description of exploit, attack code, sample packet capture, proof of concept, steps to reproduce the issue); and 
    5. Your recommendations to resolve the issue.

      Please ensure that the Report includes all of the details, reproducible steps and any additional information requested by our Security Team to reproduce the issue. If you have not provided us with the required information, you shall not be eligible for a reward.
  1. Excluded Submission Types:
    Depending on their impact, some of the reported issues may not qualify to be rewarded because they are dangerous to assess, or because they have low security impact. These usually include findings from physical testing such as office access (e.g., open doors, tailgaiting), findings derived primarily from social engineering (e.g., phishing, vishing), findings from applications or systems not listed in the ‘Targets’ section, functional, UI and UX bugs and spelling mistakes. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn you a monetary reward:
    • Network level Denial of Service attacks
    • Application Denial of Service by locking user accounts
    • Descriptive error messages or headers (e.g., Stack Traces, banner grabbing)
    • Disclosure of known public files or directories, (e.g., robots.txt)
    • Outdated software / library versions
    • OPTIONS / TRACE HTTP method enabled
    • CSRF on logout
    • CSRF on forms that are available to anonymous users
    • Cookies that lack HTTP Only or Secure settings for non-sensitive data
    • Self-XSS and issues exploitable only through Self-XSS
    • Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
    • Attacks requiring physical access to a user’s device
    • Attacks dependent upon social engineering of Akeyless employees or vendors.
    • Username enumeration based on login or forgot password pages.
    • Enforcement policies for brute force, rate limiting, or account lockout.
    • SSL/TLS best practices.
    • SSL attacks such as BEAST, BREACH, Renegotiation attack.
    • Clickjacking, without additional details demonstrating a specific exploit.
    • Mail configuration issues including SPF, DKIM, DMARC settings.
    • Use of a known-vulnerable library without a description of an exploit specific to our implementation.
    • Password and account recovery policies.
    • Presence of autocomplete functionality in form fields.
    • Publicly accessible login panels.
    • Lack of email address verification during account registration or account invitation.
    • Lack of email address verification password restore.
    • Session control during email/password changes.
  1. Program Rules: 
    • You must agree and adhere to the Program rules and Terms and conditions set herein. 
    • Actions which affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.
    • Please provide detailed Reports with reproducible steps. If the Report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
    • Submit one vulnerability per Report, unless you need to chain vulnerabilities to provide impact.
    • When duplicates occur, we only award the first Report that was received (provided that it can be fully reproduced).
    • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
    • avoid any privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Do not attempt to gain access to, modify, or damage data belonging to others.
    • Do not knowingly harm any Akeyless service or product or the experience or useability of these by others.
    • Do not use any “robot”, “spider” or other automatic device, program, script, algorithm, or methodology, or any similar or equivalent manual process, to access, acquire or copy any Akeyless services or product (or its data and/or content) or to find vulnerabilities. They’re noisy and we may ban your IP address.
    • A clear description of the issue, including the impact you believe it has to the user, Akeyless or others.
    • Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
    • Your recommendations to resolve the issue.
    • We encourage you to include screenshots, Proof-of-Concept in your submissions. These files should not be shared publicly.
  1. Response Targets: 
    Akeyless will make its best effort to meet the following response targets for community members participating in our Program:
    • Time to first response (from Report submit) – 2 business days
    • Time to triage (from Report submit) – 4 business days
    • Time to bounty (from triage) – 8 business days

      We’ll try to keep you informed about our progress throughout the process. We request to keep any information related to our communication with you and your Report and find in complete confidentiality and not to disclose the reported vulnerability to others.
  1. Reward: 
    Rewards for validated bug submission Report range from $50 USD to $1,000 USD. Akeyless’ shall have the sole discretion based on our Security Team evaluation of the severity, impact, and quality of the reported issue to determine if the bug submitted to the Program is eligible for a reward and the reward amount. All determinations as to the eligibility and amount of a bounty made by Akeyless are final. In order to be eligible to receive a monetary reward you must at least:
    • Be the first person to submit an eligible vulnerability. When duplicates occur, we only award the first Report that was received.
    • That vulnerability is determined to be a valid security issue by Akeyless’ security team. Note that multiple vulnerabilities caused by one underlying issue will be awarded one bounty
    • You are, and remains, in full compliance with all Program rules and Terms.
  1. Payment:
    Any payment is subject to the issuance of an applicable invoice. The invoice must meet all legal requirements. I order to receive the payment you must choose the applicable payment methods from the table below and to provide us with the required info:
MethodRequired Info
PayPalPayPal email address
WireFirst and last name, address, bank name, SWIFT, IBAN number, sort code
  1. Confidentiality: 
    Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding Target, pricing information, business information, fees and amounts paid to researchers and existence of Terms. Confidential Information includes, any and all information that you acquire or gain access to as part of your action in connection with this Program, about us, our affiliates, customers and vendors is confidential. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of these Terms; or (iii) is independently developed by the receiving party.

    You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the you use to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorised disclosure of disclosing party’s Confidential Information.

    ALL SUBMISSIONS AND REPORTS ARE CONFIDENTIAL INFORMATION. This means no submissions may be publicly disclosed at any time unless the Akeyless has otherwise consented to disclosure. You will not use or publish in any advertising, publicity, marketing or otherwise the name, trademark or logo of Akeyless. You shall not present yourself as a representative of Akeyless or that you are associated with Akeyless without our prior approval. 
  1. Intellectual Property:
    You hereby acknowledge and agree that any of Akeyless services, Akeyless website, the Program and any part and information thereof or accessed as part of the Program are the exclusive property of Akeyless and are protected by copyright, trademark and other intellectual property laws and treaties. All rights related to the Akeyless service, website and the Program are owned solely by Akeyless and your participation in the Program do not convey any title or ownership rights to you. Except as provided herein, Akeyless retains all right, title and interest in and to Akeyless service, website and the Program and related marks, logos and content, trademarks, service marks, trade names, trade dress, domain names, patents, inventions, trade secrets, copyrights, database rights, including without limitation any derivatives, improvements and modifications thereto, and all other intellectual or industrial proprietary rights (including know-how), therein. 

    You hereby represent that you have obtained the necessary approvals and consents from all third parties including your employer for the purpose of participating as a “researcher”. Furthermore, you hereby assign to Akeyless and agree to assign to Akeyless any and all of your Reports and rights thereto. To the extent any rights in your Report are not assignable, you shall grant and agree to grant to Akeyless under any and all such rights an irrevocable, paid-up, royalty free, perpetual, exclusive, sub-licensable (directly or indirectly through multiple tiers), transferable, and worldwide license to use and permit others to use such Report in any manner desired by us without restriction or accounting to you, including, without limitation, the right to make, have made, sell, offer for sale, use, rent, lease, import, copy, prepare derivative works, publicly display, publicly perform, and distribute all or any part of such Report and modifications and combinations thereof and to sublicense (directly or indirectly through multiple tiers) or transfer any and all such rights. Further, you shall waive and agree to waive in favour of Akeyless any moral right or other right or claim that is contrary to the intent of a complete transfer of rights to Akeyless in your Report.

    Any feedback and information regarding the security issue, vulnerability and the Report (“Feedback”), all rights, including intellectual property rights in such Feedback shall belong exclusively to Akeyless and to the extent required by applicable law, you hereby irrevocably transfer and assign all intellectual property rights you may have in such Feedback to Akeyless and waive any and all moral rights that you may have in respect thereto. 
  1. Safe Harbour:
    When conducting vulnerability research according to these Terms, we consider this research to be:
    • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
    • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
    • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

      You are expected, as always, to comply with all applicable laws.
      If at any time you have concerns or are uncertain whether your security research is consistent with these Terms, please submit a complaint at [email protected]
  1. Disclaimer of Warranties: 
    All Confidential Information and other materials you receive through the Program are provided “as is” and without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Program including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.
  1. Limitation of Liability:
    Except as prohibited by law, you understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data, or for any incidental, indirect, special, consequential or exemplary damages. Our liability is limited whether or not we have been informed of the possibility of such damages, and even if a remedy set forth in this Agreement is found to have failed of its essential purpose. We will have no liability for any failure or delay due to matters beyond our reasonable control.

Any other terms, shall be set forth in the Akeyless Terms and Conditions

  • Easiest To Do Business With
  • Best Relationship
  • Leader

© 2024 AKEYLESS. All rights reserved