I found an bug or exploit
Key-Drop Bug Bounty Program
Key-Drop offers a bug bounty system where registered and active Key-Drop users can report bugs, errors and exploits and get rewarded. The main goal is to always improve and provide the best experience for our users, and you can help us achieve that! We request that you always act responsibly and in the best interests of Key-Drop and its users.
Problem categories
| Relevance | Examples | Maximum Payout |
|---|---|---|
| Critical | RCE, SQLi, vertical auth bypass, unauthorized access to highly sensitive data | 5 000 USD |
| High | Stored XSS, lateral auth bypass, local file inclusion | 2 000 USD |
| Medium | Reflected XSS | 500 USD |
| Low | Information leaks, best practices | 100 USD |
| Very Low | Typos, little bugs and shortcomings | Gold Coins* |
*As currency on the website
The reward depends on how serious the reported problem is. The table above describes different problem categories and their corresponding rewards.
Bug reports without the information described above will not be considered for a reward. Failure to reproduce the bug will not grant you a reward, so make sure to describe the steps as accurately as you can. If a bug is reported multiple times, only the first user that reported it will qualify for a reward.
All provisions contained in this policy should be considered integral to and as an extension of the current Terms of Service and Privacy Policy. No action taken under this policy and for the purpose of obtaining a reward may be in conflict with the general terms of use of the website or applicable law. Bugs reported in violation of any terms of use of the website or law will not be rewarded.
Privacy
Please be aware that all information about our systems, including bugs, errors and exploits, which is not publicly available, is strictly confidential and any disclosure is prohibited. You must not share or otherwise use it for any purpose other than submitting the bug report to us as described above. You must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our website, employees, users, or infrastructure.
Rules
By submitting a bug report you agree that we can use your personal data as well as all information contained in the report in order to ensure the security, integrity and reliable operation of our website. At the same time you acknowledge that you have read and agreed to this Policy. Especially, you confirm and assure that:
your bug report will not violate any law applicable to you, or disrupt or compromise any data that is not your own;
you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the bug bounty system, including from any bounty payments,
Key-Drop reserves the right to terminate or discontinue Bug Bounty system at its sole discretion;
bug bounty system only concerns the vulnerabilities on the websites operated by Key-Drop. Any sites hosted on subdomains of key-drop.com that are operated by third parties and should not be tested.
Submitting a report is simple, but there are a few points a report needs to have in order to be considered for a reward. Every bug report, to be considered for a reward, must contain at least:
Your name, user ID and contact details;
detailed description of the bug/exploit (may be brief in some cases - length does not matter as long as it’s complete and concrete);
steps to reproduce the bug / exploit;
details about operating systems, software, versions that are relevant;
how often it happens when you try to reproduce it (always, barely ever happens, 50/50, etc);
if the bug/exploit does not happen often and/or is significantly hard to reproduce the conditions for it to occur, proof (video/screenshot) is required.
Any additional information is welcome. The more information you send, the easier it is for us to reproduce the scenario described, find the root cause and fix whatever is wrong. We may ask you for additional information or evidence in each case.
Updated on: 16/01/2024