1. Conditions

All criteria must be met in order to participate in the Krakatoa SA (“Krakatoa”)Early Access Program. 

  • You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to Krakatoa’s Early Access program.
  • You are at least 16 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not a resident of a Swiss Government embargoed country.
  • You are not on a Swiss Government list of sanctioned individuals.
  • You are not currently nor have been an employee of Krakatoa, or a Krakatoa subsidiary, within 12 months prior to submitting a report.
  • You are not currently nor have been under contract to Krakatoa, or an Krakatoa subsidiary, within 12 months prior to submitting a report.
  • You are neither a family nor household member of any individual who currently or within the past 12 months meets or met the criteria listed in the two bullet points directly above.
  • You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Krakatoa.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability. 
  • You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Krakatoadoes not view testing that is done in compliance with the terms and conditions of this bug bounty program as unauthorized.  
  • There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.
  • Krakatoa may revise the Early Access Program Terms or terminate the Early Access Program or exclude any participant at any time without prior notification.
2. Sensitive and Personal Information

Never attempt to access anyone else’s data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  •  Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Alert Krakatoa immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from the Early Access award eligibility.

3. Eligible Reports

To be eligible for an award consideration, your report must meet the following requirements:

  1. The report and any accompanying material sent to Krakatoa using this email.
  2. The vulnerability you identify must be original, not previously reported to Krakatoa, and not publicly disclosed.
  3. The report must show that the potential vulnerability has been demonstrated against the most recent publicly available version of the Wallem App.

The report must contain clear documentation that provides the following:

  1. An overview/summary of the reported vulnerability and potential impact.
  2. Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.
  3. The instructions that clearly demonstrates the issue.  It must include instructions that if followed by the Krakatoa’s team would successfully demonstrate existence of the issue.
  4. Include all necessary details that will helps Krakatoa identify the issue.  
4. Awards

Eligibility for any award and award amount determinations are made at Krakatoa’s sole discretion. These are some general guidelines that may vary from published documentation:

  • Awards may be greater:
  1. based on the potential impact of the issue
  2. for well-written reports with complete reproduction instructions / proof-of-concept material. See the eligible report requirements above.
  3. if a functional mitigation or fix is proposed along with the reported vulnerability.
  4. Krakatoa will award a bounty award for the first eligible report of an issue.
  5. Awards are limited to one (1) bounty award per eligible issue.
  6. Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
5. Play by the rules

Before attempting anything, reporting a bug or joining our program, please be aware that testing our environment can be designated as a criminal act by the relevant authorities if you are violating Swiss law or any other law. Please be aware that our rules do not supersede any applicable laws. However, we will not report you to the authorities if you abide by the rules provided—as long as we are not required to do so by applicable laws.

If You have any questions regarding these Terms, please contact us at contact@wallem.io