Kava Security Bug Bounty Program

Introduction

The Kava Security Bug Bounty provides bounties for vulnerabilities and exploits discovered in the Kava ecosystem which include our website https://www.kava.world, our  game CasinoLife Poker and Kava Coin – our Stellar protocol based cryptocurrency.  We recognize the importance of our community and security researchers in helping identify bugs and issues. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Reward Bounty

The first person to report a specific vulnerability will be eligible for getting credit in the Security Hall of Fame as well as with a bounty of our digital currency, Kava Coin. The amount of the award depends on the degree of severity of the vulnerability reported.

Our security team will evaluate award sizes according to severity calculated according to the OWASP risk rating model based on Impact and Likelihood. However, final awards are determined at the sole discretion of the security team:

  • Critical: up to 15,000 points
  • High: up to 5,000 points
  • Medium: up to 3,000 points
  • Low: up to 1,000 points

1 point currently corresponds to 1 Kava Coin.

Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

Eligibility

Generally speaking, any bug that poses a significant vulnerability to the security or integrity of our infrastructure and ecosystem as defined above could be eligible for reward. However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • Implementation bugs that can lead to financial loss
  • Access to our production servers
  • Remote Code Execution
  • Protocol bugs
  • Crash bug in our game servers (ex. a bug that can crash the app by sending a special request, not by sending thousands requests).
  • Unlimited Free Rewards or Credits outside of normal game play
  • Remote code execution that gives unrestricted access to Kava servers
  • SQL Injection or equivalent
  • Significant authentication bypass or info leakage, i.e., take over account without tricking user, view members’ encrypted passwords.

The following reports are reported very often and will be marked as Not Applicable:

  • SPF/DMARC records.
  • CORS headers on endpoints meant to be accessible from other domains.
  • Issues with other services we use WordPress, Cloudfront, Sendmail, etc.
  • Logout CSRF.
  • Readable AWS S3 buckets which are public.
  • WordPress admins usernames disclosure.
  • Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.
  • Vulnerabilities in 3rd-party packages such as blog.kaneva.com or medium.com/kavacoins.
  • Typical XSS
    – XSRF, XSSI, Clickjacking, and other common web flaws.
  •  Social engineering
  • Brute-force denial of service bugs.
  • Out of concern for the availability of our services to all users, we ask you to refrain from using any tools that are likely to automatically generate significant volumes of traffic.

In general, the following would not meet the threshold for severity (and can be marked Not Applicable):

  • Version disclosure.
  • Lack of security headers.
  • Cookies without secure flag.
  • Recently disclosed 0-day vulnerabilities
  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities in third party applications that make use of our internal and/or Stellar’s API.
  • Bugs that have not been responsibly investigated and reported.
  • Bugs already known to us, or already reported by someone else (reward goes to first reporter).
  • Issues that aren’t reproducible.
  • Issues that we can’t reasonably be expected to do anything about.

Severity

The severity of a bug, i.e. how many participants are affected, is taken into consideration when deciding the bounty points allocation and hence the amount of Kava Coin.

Investigation Best Practices

Please use your local instance of Stellar-core / Horizon and a separate network (not test/public network) when searching for security bugs. Remember that blockchains are public and someone may see your findings and report a bug before you.

Step by step report (or an exploit script) is more than welcomed. It will allow us to understand and fix the issue faster and you will get your rewards more quickly.
When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else’s data, and do not engage in any activity that would be disruptive or damaging to your fellow members or to Kava.

Please report any vulnerability to security@kava.world . Please include a proof of concept or links that explain the method that demonstrates the vulnerability. We will contact you back to validate the bug, look to reproduce it, diagnose it, and fix it.

Report a bug

  • Submit your bug via email to  security@kava.world
  • Try to include as much information in your report as you can, including a description of the bug, its potential -impact, and steps for reproducing it or proof of concept.
  • Please allow 7 – 10 business days for us to respond before sending another email.

Legal

You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists.

One thought on “Kava Security Bug Bounty Program”

Comments are closed.