Articles on: Bug Bounty
This article is also available in:

I found an bug or exploit

Key-Drop Bug Bounty Program

Key-Drop offers a bug bounty system where registered and active Key-Drop users can report bugs, errors and exploits and get rewarded. The main goal is to always improve and provide the best experience for our users, and you can help us achieve that! We request that you always act responsibly and in the best interests of Key-Drop and its users.

Problem categories

RelevanceExamplesMaximum Payout
CriticalRCE, SQLi, vertical auth bypass, unauthorized access to highly sensitive data5 000 USD
HighStored XSS, lateral auth bypass, local file inclusion2 000 USD
MediumReflected XSS500 USD
LowInformation leaks, best practices100 USD
Very LowTypos, little bugs and shortcomingsGold Coins*

*As currency on the website

The reward depends on how serious the reported problem is. The table above describes different problem categories and their corresponding rewards.

Bug reports without the information described above will not be considered for a reward. Failure to reproduce the bug will not grant you a reward, so make sure to describe the steps as accurately as you can. If a bug is reported multiple times, only the first user that reported it will qualify for a reward.

All provisions contained in this policy should be considered integral to and as an extension of the current Terms of Service and Privacy Policy. No action taken under this policy and for the purpose of obtaining a reward may be in conflict with the general terms of use of the website or applicable law. Bugs reported in violation of any terms of use of the website or law will not be rewarded.


Please be aware that all information about our systems, including bugs, errors and exploits, which is not publicly available, is strictly confidential and any disclosure is prohibited. You must not share or otherwise use it for any purpose other than submitting the bug report to us as described above. You must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our website, employees, users, or infrastructure.


By submitting a bug report you agree that we can use your personal data as well as all information contained in the report in order to ensure the security, integrity and reliable operation of our website. At the same time you acknowledge that you have read and agreed to this Policy. Especially, you confirm and assure that:

your bug report will not violate any law applicable to you, or disrupt or compromise any data that is not your own;
you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the bug bounty system, including from any bounty payments,
Key-Drop reserves the right to terminate or discontinue Bug Bounty system at its sole discretion;
bug bounty system only concerns the vulnerabilities on the websites operated by Key-Drop. Any sites hosted on subdomains of that are operated by third parties and should not be tested.

Submitting a report is simple, but there are a few points a report needs to have in order to be considered for a reward. Every bug report, to be considered for a reward, must contain at least:

Your name, user ID and contact details;
detailed description of the bug/exploit (may be brief in some cases - length does not matter as long as it’s complete and concrete);
steps to reproduce the bug / exploit;
details about operating systems, software, versions that are relevant;
how often it happens when you try to reproduce it (always, barely ever happens, 50/50, etc);
if the bug/exploit does not happen often and/or is significantly hard to reproduce the conditions for it to occur, proof (video/screenshot) is required.

Any additional information is welcome. The more information you send, the easier it is for us to reproduce the scenario described, find the root cause and fix whatever is wrong. We may ask you for additional information or evidence in each case.

Updated on: 16/01/2024