Last updated: Dec 2022
Akto is committed to the safety and security of users on Akto. To recognize the importance of independent security researchers in keeping Akto safe, we offer the following bug bounty program to reward the reporting of certain qualifying security vulnerabilities. Please make sure you review the following information before you report a vulnerability. By participating in this program, you agree to be bound by the following information.
We encourage anyone to report security issues to security@akto.io.
Our rewards are based on the impact of a vulnerability and how we classify the severity of bugs. For more details, please see Issue Severity below. ·
When duplicates occur, we award the first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
The amounts below are the maximum we will pay per category. We aim to be fair, but all reward amounts are at our discretion.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
We welcome your feedback to continue improving our bug bounty program.
P1: $500
P2: $300
P3: $150
P4: Swag
P5: NA
As stated in theprogram policy, the amounts set here are the maximum we will pay per category.We aim to be fair, but all reward amounts are at our discretion.
Stored XSS (on the dashboard): On Hold until remediated
SSRF: On Hold until remediated
*.akto.io
WAF bypass
Internal IP address disclosure
Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)
Social engineering/phishing attacks
Self XSS
Text injection
Email spoofing (including SPF, DKIM, DMARC,From: spoofing, and visually similar and related issues)
Descriptive error messages (e.g. stack traces,application or server errors, path disclosure)
Fingerprinting/banner disclosure oncommon/public services
Clickjacking and issues only exploitablethrough clickjacking
CSRF issues that don't impact the integrity ofan account (e.g. log in or out, contact forms and other publicly accessibleforms)
Lack of Secure and HTTPOnly cookie flags(critical systems may still be in scope)
Lack of rate limiting
Login or Forgot Password page brute force,account lockout not enforced, or insufficient password strength requirements
HTTPS mixed content scripts
Username/email enumeration by brute forcing/ errormessages (e.g. login/signup / forgotten password)
Exceptional cases may still be in scope (e.g.ability to enumerate email addresses via incrementing a numeric parameter)
·Missing HTTP security headers
TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
Denial of Service attacks
Out-of-date software
Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)