Bug Bounty

Responsible Disclosure of Security Vulnerabilities

Program Terms

We’re working with the security community to make our products safer for everyone! Security researchers play a vital role in safeguarding digital information. All vulnerability reports must adhere to our Bug Bounty Terms and Conditions. The decisions made by KaziQuest regarding rewards are final and binding. KaziQuest may change or cancel this program at any time, for any reason. 

By participating in this program, you agree to be bound by these rules and terms. KaziQuest Ltd. reserves the right to:

  • Make final and binding decisions regarding reward eligibility and amounts.
  • Change or cancel this program or its terms at any time without prior notice.
  • Determine the severity, impact, and exploitability of any reported issue.

Reporting security issues

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. If you’ve discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner. If you believe you have discovered a vulnerability or have a security incident to report, please submit your report  here. To help us triage your report effectively, please include:

  • Summary: A clear, concise description of the vulnerability.
  • Attack Vector: The method or path used to exploit the issue.
  • Steps to Reproduce: Detailed, step-by-step instructions.
  • Proof of Concept (PoC): Screenshots, videos, or scripts demonstrating the exploit.
  • Impact: A brief assessment of the potential risk if left unmitigated.

Code of Conduct & Rules

Researchers must strictly adhere to the following rules. Failure to comply will result in immediate disqualification from the program and potential permanent banning from all KaziQuest Ltd services.

We won’t take legal or administrative action against you or your account if you act accordingly: White hat researchers are always appreciated.

  • Never attempt to access, leak, manipulate, or destroy real user data. If you accidentally encounter Personally Identifiable Information (PII), you must stop testing and report it immediately.
  • In no event are you permitted to access, download, or modify data residing in any account other than your own.
  • If you wish to test cross-account or access control vulnerabilities, you must create and use multiple KaziQuest instances that you personally own.
  • Do not perform testing that disrupts services or impacts the user experience.
  • You are strictly prohibited from executing or attempting to execute a Denial of Service (DoS/DDoS) attack or any resource exhaustion attacks.
  • Knowingly posting, transmitting, uploading, or storing any malicious software, illegal files, or “shells” on KaziQuest infrastructure is prohibited.
  • Attempting to rename an account or testing the account name change functionality is currently out of scope.
  • Technical attacks only. Phishing, vishing, or physical attacks against KaziQuest employees, contractors, or infrastructure are strictly prohibited.
  • You are prohibited from contacting KaziQuest via official Support channels for testing purposes without explicitly identifying yourself as a security researcher.
  • Testing must not result in the sending of unsolicited junk mail, spam, pyramid schemes, or duplicative messages to KaziQuest or its users.
  • Avoid security scanners or tools which may cause DoS, DDoS or scraping-like behavior. 
  • NEVER try to gain access to a real user’s account or data.
  • You must not leak, manipulate, or destroy any user data.
  • Do not impact users with your testing 
  • Any vulnerability found must be reported no later than 48 hours after discovery. 
  • You are prohibited from attempting to upgrade a trial account to a paid account without valid payment or otherwise attempting to circumvent KaziQuest’s charges, fees, or licensing restrictions.

Out of Scope (Things We Are NOT Looking For)

Reports that fall into these categories will be closed without reward and may lead to a ban if submitted repeatedly:

  • Missing security headers (HSTS, CSP, etc.) that do not lead to a direct exploit.
  • SSL/TLS best practices (weak ciphers, lack of Forward Secrecy) without a PoC.
  • DNS misconfigurations (missing SPF/DKIM/DMARC records).
  • Password policies (complexity requirements, reset link expiration).
  • Banner grabbing or software version disclosure.
  • Self-XSS or Logout/Unauthenticated CSRF.
  • Clickjacking on pages without sensitive state-changing actions.
  • Username/Email enumeration or account “Back” button functionality after logout.
  • Rate limiting issues (unless they result in significant security compromise).
  • Tabnabbing or CSV/Excel command injection.
  • Vulnerabilities in outdated browsers or 0-day vulnerabilities in third-party providers (within 10 days of disclosure).
  • Issues requiring a rooted or jailbroken device.
  • The output of automated scanners without explanation
  • CSV injection
  • Broken link hijacking
  • Phishing risk via Unicode/Punycode or RTLO issues
  • Missing rate limitations on endpoints (without any security concerns)
  • Presence of EXIF information in file uploads
  • Ability to upload/download executables
  • Bypassing pricing/paid feature restrictions
  • Any other issues determined to be of low or negligible security impact
  • Issues that do not affect the latest version of applications, modern browsers, or platforms
  • Host header injection unless you can show how a third-party can exploit it.
  • Open ports without a vulnerability

Bug Bounty 

We’re happy to provide a reward to users who report valid security vulnerabilities. To be eligible for credit and a reward, you must:

  • Be the first person to responsibly disclose the bug.
  • Report a bug that could compromise our users’ private data, circumvent the system’s protections, or enable access to a system within our infrastructure.
  • Comply with all terms and requirements as stated in our Bug Bounty Program
SeverityBounty in USD (Up to)
Low Tier$25
Medium Tier$50
Higher Tier$100

Our Commitment

Our security team will assess each bug to determine if it qualifies. We do our best to respond to your reports in a timely manner. We aim to respond within 3 business days, however some reports take longer than others to investigate. We reply only during business hours (9AM-5PM EAT, weekdays that is Mon–Fri, excluding holidays). Reports that fail to comply with the terms of the Bug Bounty program (such as breaking a rule or reporting on a vulnerability we explicitly are not looking for) will result in your report being denied outright.

Ownership of Submission 

You grant KaziQuest non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

Limitation of Liability

KAZIQUEST LTD SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER, INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR DATA LOSS ARISING OUT OF YOUR PARTICIPATION IN THIS PROGRAM.