1Overview
Keboola is committed to protecting our customers, employees, and partners. We welcome the contributions of the security-research community and provide a clear, safe-harbor process for reporting vulnerabilities.
2Safe-Harbor Statement
If you follow all guidelines in this document when researching and reporting, Keboola will:
- Not pursue civil or criminal actions.
- Not involve law-enforcement or third parties to investigate.
- Consider your research authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws.
3How to Report
Submit all vulnerability reports by email to security@keboola.com. All reports, communication, and reward processing are handled over email unless otherwise agreed.
4In-Scope Targets
The following production domains (and their sub-domains) are in scope:
| Cloud | Region | Base URL |
|---|---|---|
| Azure | North Europe | https://connection.north-europe.azure.keboola.com |
| AWS | us-east-1 | https://connection.keboola.com |
| AWS | eu-central-1 | https://connection.eu-central-1.keboola.com |
| GCP | europe-west3 | https://connection.europe-west3.gcp.keboola.com |
| GCP | us-east4 | https://connection.us-east4.gcp.keboola.com |
Note: These endpoints expose one logical service; exploiting the same bug on multiple regions counts as one report.
Test Accounts: Keboola does not provide dedicated test environments or accounts. Researchers must use only their own data and accounts for testing. Access to other customers' data or Keboola internal data is strictly prohibited.
5Out-of-Scope Findings
The categories below do not qualify for a reward and may be closed as informational:
- Availability issues – Denial-of-Service, resource exhaustion, spam, or load/latency degradation.
- Email / DNS hygiene – DMARC, SPF, DKIM, DNSSEC, missing CAA, etc.
- Best-practice hardening gaps – SSL/TLS cipher preference, cookie flags on non-sensitive cookies, password-complexity suggestions.
- Self-XSS or issues requiring victim to paste JavaScript in their own console.
- Click-jacking or "tabnabbing" without proven sensitive impact.
- "Low-effort" scanner output – automated scans, missing security headers, version disclosures, or screenshots-only/video-only PoCs.
- Phishing & social-engineering scenarios.
- Content injection that cannot lead to data theft or code execution.
- Vulnerabilities that require installation of non-standard software or improbable victim actions.
- Subdomain takeover without proven security impact (e.g., ability to steal cookies).
6Allowed Research Activities
You may:
- Access only data you own. Do not target other customers' data.
- Use rate-limited automated tools that do not degrade service performance.
- Share exploit details privately with Keboola and keep them confidential until coordinated disclosure (see Section 11).
- Stop immediately and notify us if you encounter PII or production data belonging to Keboola or other customers.
7Prohibited Activities
- Exploiting a vulnerability beyond what is necessary to prove its existence.
- Persisting shells/backdoors, pivoting to internal networks, or maintaining long-lived access.
- Social-engineering employees or customers.
- Physical security testing.
- Any activity that violates applicable laws.
- Excessive spam or status update requests (see Section 12 for communication guidelines).
8Report Quality & Reproducibility
Your report must include:
- Summary – clear description + impact assessment.
- Steps to reproduce – numbered, detailed instructions that can be followed exactly.
- Proof of Concept – you must demonstrate actual exploitation using only your own data. Reports without proven exploitation on researcher-owned data will not qualify for rewards.
- Evidence – screenshots, HTTP transcripts, or minimal PoC code showing the vulnerability exploited on your own account/data.
- Recommended remediation (optional but appreciated).
Important: Access to other customers' data or Keboola internal systems during testing is strictly prohibited. Your PoC must demonstrate the vulnerability using only resources you legitimately own and control.
Unclear or partial reports may be closed or returned for more information and may affect bounty eligibility.
9Severity Classification & Rewards
Reward amounts are determined based on severity, impact, and report quality. Keboola reserves sole discretion over all reward decisions and severity classifications.
Severity Levels & Reward Ranges
| Severity | Reward Range | Examples |
|---|---|---|
| Critical | Up to $500 |
• Remote Code Execution (RCE) • SQL Injection with access to all customer data • Authentication bypass affecting all users • Server-Side Request Forgery (SSRF) leading to cloud metadata access |
| High | Up to $300 |
• Authentication bypass for individual accounts • Insecure Direct Object Reference (IDOR) exposing sensitive customer data • Stored XSS in privileged contexts • Privilege escalation from user to admin |
| Medium | Up to $150 |
• Reflected XSS in non-privileged contexts • IDOR exposing non-sensitive data • CSRF on state-changing operations • Information disclosure of technical details that could aid further attacks |
| Low | Up to $50 |
• Minor CSRF on non-critical operations • Open redirects without demonstrated security impact • Weak password policies • Rate limiting issues without DoS impact |
| Informational | No reward |
• Out-of-scope findings (see Section 5) • Issues without security impact • Best-practice recommendations |
Additional Rules
- First valid report wins. Duplicate submissions after a triaged report are closed as duplicates.
- One bounty per vulnerability chain. If multiple chained issues are required to demonstrate impact, they are paid as a single finding based on the overall severity.
- Actual reward amount within the range depends on:
- Attack complexity and exploitability
- Scope of impact (number of affected users/data)
- Quality and completeness of the report
- Novelty of the attack vector
10Appeal Process
If you disagree with the severity assessment or report closure decision:
- Reply to the report email thread with a detailed explanation of why you believe the assessment should be reconsidered.
- Provide additional evidence or technical details that support your position.
- Our security team will review your appeal within 30 business days.
- The appeal decision is final and at Keboola's sole discretion.
Please note: Appeals should be substantive and technical in nature. Repeated appeals on the same decision without new information may be considered spam.
11Coordinated Disclosure
Keboola follows responsible disclosure principles:
- Confidentiality period: You must keep vulnerability details confidential until Keboola has issued a fix and 90 days have passed since the fix deployment.
- Early disclosure: If you wish to publish earlier, please coordinate with our security team. We may agree to an earlier timeline if the fix is deployed and tested.
- Public acknowledgment: With your permission, we may publicly acknowledge your contribution. Let us know your preference (real name, handle, or anonymous).
- No disclosure before fix: Public disclosure before a fix is available may result in ineligibility for rewards and program ban.
12Communication Guidelines & Prohibited Behavior
To maintain an efficient and respectful disclosure process:
Acceptable:
- Initial report submission with complete details
- Reasonable follow-up if no response after 14 business days
- Substantive updates with new findings or technical details
- Questions about remediation timeline for critical issues
Prohibited (will result in permanent ban):
- Excessive status update requests (more than once per 14 days without justification)
- Spam or harassment of security team members
- Threatening public disclosure before coordinated timeline
- Submitting low-quality or auto-generated reports repeatedly
- Any behavior that violates program rules (Section 7)
Violation of communication guidelines or program rules will result in immediate and permanent ban from the program, forfeiture of any pending rewards, and potential legal action if applicable.
13Our Commitment to You
- Acknowledgment within 14 business days of report receipt.
- Status updates every 30 days until resolution.
- Patch or mitigation within a commercially reasonable timeframe, prioritizing critical findings.
- Fair evaluation of all valid reports according to published criteria.
14Report Rejection Policy
Keboola reserves the right to close reports without notice or response if they:
- Fall outside program scope (Section 5)
- Violate research guidelines (Sections 6, 7)
- Lack required quality standards (Section 8)
- Are submitted by previously banned researchers
This policy exists to maintain program efficiency and focus security team resources on valid, actionable reports.
Contact: security@keboola.com — for vulnerability reports and program questions.