Bug Bounty Program - KNAPP AG

For us at KNAPP, the security of our systems is a top priority. However, no matter how hard we try, vulnerabilities may still exist. If you discover a vulnerability, please let us know so that we can fix it as quickly as possible and ensure the protection of our systems and those of our customers.

Bounties based on the risk of the vulnerability:

  • Low: up to 100,00 €
  • Medium: up to 250,00 €
  • High: up to 500,00 €
  • Critical: up to 1.000,00 €

Scope of the Program:
The following KNAPP services and their domains covered by this program are:

Out of Scope:
All domains and services not explicitly listed above, as well as the following attacks, are considered out-of-scope, ineligible, and not covered by the safe harbor clause below:

Attacks on the physical security of KNAPP

  • Social Engineering
  • DoS/DDoS
  • Spam & Phishing
  • Use of automated tools such as vulnerability scanners
  • Use of domain enumeration tools
  • Any activities beyond demonstrating the attack vector, for example: privilege escalation after successfully accessing a server.
  • Data-exfiltration, -modification or -destruction

Safe Harbor for Security Researchers
Hacking activities that follow these rules and framework are considered authorized actions. KNAPP will therefore not take legal action against you if you circumvent the technical measures we use to protect the services and systems listed in “Scope of the Program”. However, some actions (e.g., destruction of data or DDoS) are considered official offenses under the Austrian Criminal Code and will be prosecuted ex officio, even if they only affect our own systems. Therefore, please make sure that you comply with Austrian criminal law.

What we promise:
We will keep your report strictly confidential and will not share your personal information with any third party without your consent. We will keep you informed about the progress in fixing the vulnerability and offer a reward as a thank you for your assistance. The prerequisite for this is that the content of your report was not yet known to us.

What you promise:
When you find a vulnerability, create a concise, detailed report with exact reproduction steps. Ideally, your report should be understandable to non-experts. You promise not to disclose any information about your report to third parties at any time, and you may only exploit your findings for demonstration purposes; anything beyond that is prohibited. Your report must not contain any conditions, demands, threats or ransoms. Make sure you adhere to the Code of Ethics published by EC-Council (https://www.eccouncil.org/code-of-ethics/).

Security Researcher
Anyone who participates in the bug bounty program and follows these rules and framework will be classified as a “Security Researcher”. Only “Security Researchers” can receive rewards. By participating, you confirm that you are at least 18 years old or have the permission of your parent/guardian. To be classified as a “Security Researcher”, you must not have an existing relationship as an employee with KNAPP or have been employed by KNAPP within the last six months. Comply with existing laws and do not commit any illegal acts.

Bug Report
The bug report is a summary description of your findings or the detected vulnerability. The report must be the first for the corresponding vulnerability and must be complete. If two bug reports for the same vulnerability are eligible for reward, only the first one received on our side will be rewarded (First Come, First Serve).

A report is complete if the bug can be reproduced and the possible impact is measurable. It must also describe which services are affected, how we can reproduce the problem, and (if identifiable) include the CVE number for the corresponding vulnerability and a description of it.

Evaluation of reports
The bug report is evaluated exclusively by us, based on the Common Vulnerability Scoring System.

Personal Data
By participating in the KNAPP Bug Bounty Program, you consent to the processing of your personal data in accordance with Art. 6 (1)a GDPR as soon as you send your bug report to KNAPP or contact KNAPP. If your report qualifies for a reward, KNAPP will need to process the necessary personal data (i.e. your name, bank details, etc.) for the purpose of transferring the offered reward (Art. 6 (1) b GDPR). Your personal data will only be stored for as long as it is necessary due to legal obligations and to fulfill the above-mentioned purposes. None of your personal data will be disclosed to other third parties without your consent. Automated decision-making does not take place. For more information on data protection and how you can assert your rights as a data subject, please visit https://www.knapp.com/en/home/privacy-policy/.