CertiK Bug Bounty Program

At CertiK, security is a top priority. We welcome researchers and ethical hackers to participate in our Bug Bounty Program. The support of the community, together with the daily work of our internal teams, helps CertiK to continuously enhance its security, which is fundamental for CertiK as an organization and for our clients.

Guidelines & Participation Requirements

In consideration of applicable laws and regulations, CertiK Bug Bounty Program is open to individuals over the age of 18. Vulnerabilities must not be exploited when discovered, and any impacts on CertiK systems and data confidentiality, integrity and availability, must be avoided to participate in the Program.

Any vulnerability or other finding impacting the security of CertiK products, services and / or users should be submitted to info[at]certik[dot]com. All submissions must consider the indications and guidelines outlined in the following sections. CertiK reserves the right to determine any and all eligibility for a bounty in its sole discretion.

Reports describing the vulnerability identified must contain a Proof of Concept (PoC), together with a clear description of the steps necessary to reproduce the vulnerability impacting the asset in scope, and the impacts if the vulnerability is exploited. This information is required in order to be considered eligible for a reward.Clear and detailed reports are highly valued and more likely to result in higher rewards.

Prohibited Activities

The following activities are prohibited on CertiK assets (and do not qualify for a bounty):

Automated testing, scanning or other activities that generate significant amounts of traffic and may impair CertiK services
Brute-force attacks or denial-of-service attacks
Social engineering (e.g. phishing, vishing, smishing)

Scope

CertiK Bug Bounty Program is active and valid on CertiK assets listed below. Any vulnerability identified on other assets may not be eligible for a reward.

Asset	Asset Type	Max Severity
CertiK Website certik.com	Domain	Critical
Skynet https://skynet.certik.com/	Domain	Critical
Skynet https://skyharbor.certik.com/	Domain	Critical
Skyinsights https://skyinsights.certik.com	Domain	Critical
Subdomains of the above	Subdomain	High

KYC Requirements

Users eligible for rewards must undergo CertiK Know Your Customer (KYC) process, prior to receiving the bounty. This includes user identity verification, conducted via a third party application by uploading documentation to prove an identity, so that CertiK can execute anti-money laundering and counter-terrorism financing (AML-CTF) checks.

Exclusions

Reports covering previously reported vulnerabilities and, in general, vulnerabilities already known to CertiK are not eligible for a reward.

Vulnerabilities (typically misconfigurations) classified with severity “Informational” are not eligible for a reward, as none or minimum impact is expected for such cases. Similarly, security best practice recommendations with low or no issues are not eligible for a reward. Any finding identified via automated tools without manual validation or superficial issues will also not qualify for a reward.

Other findings which are not eligible for rewards are the following:

Email Spoofing - SPF/DMARC Records Misconfiguration
Any activity that could lead to the disruption of our service (DoS)
Best practice recommendations
Non-Sensitive Data Disclosure
Attacks requiring physical access to a user's device
Exposure of non-sensitive API keys
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions - Login/Logout CSRF
Reports exploiting the behavior of - or vulnerabilities in - outdated browsers
Unconfirmed reports from automated vulnerability scanners
Issues that require unlikely user interaction
Previously known vulnerable libraries without a working Proof of Concept
Missing best practices in SSL/TLS configuration
Spam / Flooding
Tab nabbing
Social engineering
Presence of autocomplete attribute on web forms
CORS misconfiguration with no security impact
Self-XSS with no security impact
CSV/formula injection
Missing HTTP security headers or cookie flags without demonstrated impact
Clickjacking with no or low security impact

Vulnerabilities identified on CertiK assets which are not listed in the Scope section above may not be eligible for a reward.

Disclosure Policy

Participants to CertiK Bug Bounty Program are prohibited from publicly disclosing vulnerabilities and any associated details until CertiK confirms that the issue is resolved and approves any public disclosure.

Participants acting in good faith and respecting the Program indications and guidelines will not face legal action from CertiK for their effort in testing CertiK assets.

Legal Considerations

Reverse Engineering Prohibition: participants to the Program must not reverse engineer, decompile, or attempt to access source code of any CertiK assets, unless explicitly authorized.

Compliance with Laws: participants to the Program must comply with all applicable laws and regulations, including but not limited to local, state, federal and international laws.