Responsible Disclosure Policy

Last updated: Dec 2022

Akto Bug Bounty Program:

Akto is committed to the safety and security of users on Akto. To recognize the importance of independent security researchers in keeping Akto safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.

We encourage anyone to report security issues to

Program Rules:

  • Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below.   ·     

  • When duplicates occur, we award the first report that we can completely reproduce.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • The amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.

  • We welcome your feedback to continue improving our bug bounty program.


  • P1: $500

  • P2: $300

  • P3: $150

  • P4: Swag

  • P5: NA

As stated in theprogram policy, the amounts set here are the maximum we will pay per category.We aim to be fair, but all reward amounts are at our discretion.

Known Issues:

Stored XSS (on the dashboard): On Hold until remediated
SSRF: On Hold until remediated



  • WAF bypass

  • Internal IP address disclosure

  • Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)

  • Social engineering/phishing attacks

  • Self XSS

  • Text injection

  • Email spoofing (including SPF, DKIM, DMARC,From: spoofing, and visually similar and related issues)

  • Descriptive error messages (e.g. stack traces,application or server errors, path disclosure)

  • Fingerprinting/banner disclosure oncommon/public services

  • Clickjacking and issues only exploitablethrough clickjacking

  • CSRF issues that don't impact the integrity ofan account (e.g. log in or out, contact forms and other publicly accessibleforms)

  • Lack of Secure and HTTPOnly cookie flags(critical systems may still be in scope)

  • Lack of rate limiting

  • Login or Forgot Password page brute force,account lockout not enforced, or insufficient password strength requirements

  • HTTPS mixed content scripts

  • Username/email enumeration by brute forcing/ errormessages (e.g. login/signup / forgotten password)

  • Exceptional cases may still be in scope (e.g.ability to enumerate email addresses via incrementing a numeric parameter)

  • ·Missing HTTP security headers

  • TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.

  • Denial of Service attacks

  • Out-of-date software

  • Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)

Got a question?

Contact us