Bug Bounty Program - KNAPP AG

For us at KNAPP, the security of our systems is a top priority. However, no matter how hard we try, vulnerabilities may still exist. If you discover a vulnerability, please let us know so that we can fix it as quickly as possible and ensure the protection of our systems and those of our customers.

Bounties based on the risk of the vulnerability:

  • Low: up to 100,00 €
  • Medium: up to 250,00 €
  • High: up to 500,00 €
  • Critical: up to 1.000,00 €

Scope of the Program:
The following KNAPP services and their domains covered by this program are:
knapp.com
*.knapp.com

Out of Scope:
All domains and services not explicitly listed above, as well as the following attacks, are considered out-of-scope, ineligible, and not covered by the safe harbor clause below:

Attacks on the physical security of KNAPP

  • Social Engineering
  • Denial-of-Service / Distributed-Denial-of-Service
  • Spam & Phishing
  • Use of automated tools such as vulnerability scanners
  • Use of domain enumeration tools
  • Any activities beyond demonstrating the attack vector, for example: privilege escalation after successfully accessing a server.
  • Data exfiltration, data modification or data destruction
Bug ReportBug Report

Safe Harbor for Security Researchers
Hacking activities that follow these rules and framework are considered authorized actions. KNAPP will therefore not take legal action against you if you circumvent the technical measures we use to protect the services and systems listed in “Scope of the Program”. However, some actions (e.g., destruction of data or DDoS) are considered official offenses under the Austrian Criminal Code and will be prosecuted ex officio, even if they only affect our own systems. Therefore, please make sure that you comply with Austrian criminal law.

What we promise:
We will keep your report strictly confidential and will not share your personal information with any third party without your consent. We will keep you informed about the progress in fixing the vulnerability and offer a reward as a thank you for your assistance. The prerequisite for this is that our quality requirements are met and that the content of your report was not yet known to us.

What you promise:
When you find a vulnerability, create a concise, detailed report with exact reproduction steps. Ideally, your report should be understandable to non-experts. You promise not to disclose any information about your report to third parties at any time, and you may only exploit your findings for demonstration purposes; anything beyond that is prohibited. Your report must not contain any conditions, demands, threats or ransoms. Make sure you adhere to the Code of Ethics published by EC-Council (https://www.eccouncil.org/code-of-ethics/).

KNAPP only evaluates reports that meet our quality requirements, i.e., they must contain their own technical analysis (including affected resource, reproducible steps, expected and observed behavior, impact assessment). Obviously generic or exclusively AI-generated texts without their own technical added value may be closed without individual feedback. In such cases, there is no entitlement to remuneration.

Security Researcher
Anyone who participates in the bug bounty program and follows these rules and framework will be classified as a “Security Researcher”. Only “Security Researchers” can receive rewards. By participating, you confirm that you are at least 18 years old or have the permission of your parent/guardian. To be classified as a “Security Researcher”, you must not have an existing relationship as an employee with KNAPP or have been employed by KNAPP within the last six months. Comply with existing laws and do not commit any illegal acts.

Bug Report
The bug report is a summary description of your findings or the detected vulnerability. The report must be the first for the corresponding vulnerability and must be complete. If two bug reports for the same vulnerability are eligible for reward, only the first one received on our side will be rewarded (First Come, First Serve).

A report is complete if the bug can be reproduced and the possible impact is measurable. It must also describe which services are affected, how we can reproduce the problem, and (if identifiable) include the CVE number for the corresponding vulnerability and a description of it. Reports that are obviously generic or AI-generated are excluded from the bug bounty program.

Evaluation of reports
The bug report is evaluated exclusively by us, based on the Common Vulnerability Scoring System.

Personal Data
KNAPP processes your personal data for the purpose of processing and prioritizing reports on the basis of legitimate interest (Art. 6 (1) (f) GDPR; ensuring the security of IT systems and protection against attacks). Processing is necessary because otherwise the report cannot be evaluated. This is a voluntary report and the processing represents a low level of intrusion. If your report is eligible for a reward, KNAPP must process the necessary personal data (i.e., your name, bank details, etc.) for the purpose of transferring the reward offered (Art. 6 (1) b GDPR). Your personal data will only be stored for as long as is necessary to comply with legal obligations and to fulfill the above-mentioned purposes. None of your personal data will be passed on to other third parties (except for payment service providers in the case of remuneration) without your consent. No automated decision-making takes place. For more information on data protection and how you can assert your rights as a data subject, please visit https://www.knapp.com/en/home/privacy-policy/.