To keep user and partner data safe and ensure privacy is protected, Keenfinity Group is looking forward to working
with the security community to help identify vulnerabilities. If you’re a security researcher and you’ve found a
vulnerability in our products, we would ask you to let us know by using the form below.
Please provide detailed
information with reproducible steps and submit one vulnerability per report. However, if you need to group
together information on related vulnerabilities in order to outline the overall impact, you can submit this in one
report.
General Rules:
- Testing is only authorized on the targets listed as Testing scope.
- Any domain/property/database/IP address of Keenfinity not listed in the Testing scope section is strictly out of scope.
- Avoid privacy violations, destruction of data, and interruption or degradation of Keenfinity's services.
- Only interact with accounts you own, or you have been explicitly provisioned for testing purposes.
- Findings must be exact, and the Reports must contain the steps to follow to reproduce the issue.
- Attachments such as screenshots or Proof of Concept Code are highly recommended.
- Keenfinity requests that do not perform automated/scripted testing of API endpoints or web forms, for example "Contact us" forms, without ensuring first that the test does not cause large volumes of emails,
SMS etc. to be sent.
- You must not be a former or current employee of Keenfinity or one of its subcontractors.
Assumptions and Limitations
Unauthorised and prohibited activities:
- Attacks that knowingly result in Denial of Service (DoS)
- Distributed Denial of Service (DDoS) based attacks
- Non-technical attacks such as social engineering or phishing, vishing, smishing
- Physical security attacks
- Password cracking attempts (through brute-forcing, spraying, etc.) except on your own accounts
Additional Information:
- Keenfinity currently does not offer any monetary compensation.
- Requests or demands for monetary compensation in connection with any identified or alleged
vulnerability are non-compliant with the Vulnerability Disclosure Program.
Out of scope URLs and Domains
Anything outside of the explicitly approved testing scope is out of scope, including the following:
- Subdomains of Keenfinity.live, unless explicitly listed as target
- IP addresses of the out-of-scope domains
- DNS servers related to Keenfinity domains
- Any unauthorized access to Third-Party Systems is strictly prohibited
Incident Handling and Response:
You, as Bounty Hunter must report any suspicious, unintentional or unwanted activities and security events you may find in the environment to [email protected].
Keenfinity reserves the right to terminate and/or suspend the Program or revoke any Bounty Hunter’s authorization if a security incident occurs in the environment.
E-mail alias:
If possible, please use your email alias during testing. Your e-mail alias is your [email protected] (example: if your username is abcd, then your email alias will be [email protected]). Your letmehack.it e-mail alias will forward all emails to your registered e-mail address at Hackrate.
Public Disclosure:
Before disclosing an issue publicly, we require that you first request permission from us (using [email protected] email address). Keenfinity will process requests for public disclosure on a per report basis.
Any Bounty Hunter found publicly disclosing reported vulnerabilities without Keenfinity's written consent will be sanctioned.
Rewards
Keenfinity currently does not offer any monetary compensation.