Thank you for helping keep the Kaia ecosystem secure.
We operate a responsible disclosure and bug bounty program in partnership with HackenProof. This document outlines how to report vulnerabilities, our bounty scope, and program rules.
Please do not use GitHub, email, or Discord to report vulnerabilities.
Instead, submit all reports via our official bug bounty dashboard:
👉 Report a vulnerability on HackenProof
You must report vulnerabilities within 24 hours of discovery and exclusively via HackenProof to be eligible for a bounty.
We offer bounties for valid, impactful vulnerabilities across the Kaia Protocol and Kaia Web ecosystem.
Reward amounts vary based on:
- Impact
- Severity
- Quality of report and PoC
Focuses on blockchain protocol vulnerabilities, including but not limited to:
- Stealing or loss of funds
- Unauthorized or manipulated transactions
- Price or fee manipulation
- Balance or tokenomics manipulation
- Privacy violations
- Cryptographic flaws
Focuses on web-based vulnerabilities such as:
- Business logic issues
- Payment manipulation
- Remote Code Execution (RCE)
- SQL/XXE Injection
- Access control issues (IDOR, Privilege Escalation)
- Sensitive data leaks
- SSRF, CSRF, XSS
- File inclusion, directory traversal
See the full list on our Kaia Web HackenProof Program page.
Some issues are not eligible for bounties, including:
- Network-level DoS
- Attacks with unrealistic assumptions - e.g., acquiring privileged accounts
- Vulnerabilities in third-party tools
- Best practice concerns without PoC
- Clickjacking, open redirects (without impact)
- TLS config, SPF/DMARC/DNS misconfigs
- Lack of HTTP headers, verbose errors, self-XSS
- DoS/DDoS, social engineering, or phishing
- Issues only affecting outdated browsers
- Vulnerabilities requiring unlikely user actions
See the full list on our Kaia Web HackenProof Program page.
To participate, you must follow these rules:
- Test only in scope — no attacks on infrastructure or third-party systems
- Do not spam forms or create high-traffic scans
- Do not attempt DoS, phishing, or social engineering
- Do not access or modify other users’ data
- Do not disclose vulnerabilities publicly without our permission
All tests should be confined to your own accounts or test environments.
To qualify for a reward:
- Be the first to report the issue
- Submit only through HackenProof
- Include clear steps to reproduce and a working PoC
- Do not be a current/former employee or contractor
AI-generated reports without a working PoC are not eligible.
- Do not share vulnerabilities publicly, even after they are resolved
- All communication must go through HackenProof
- Public disclosure will disqualify the report
Thanks for helping us improve Kaia’s security! We appreciate every responsible disclosure.