Bug Bounty Program
Last updated July 9, 2026
At KYCAID (hereinafter – the Company) we take the security of our platform and the protection of our clients’ data extremely seriously. We value the work of the security research community and welcome reports of security vulnerabilities in our products and services. This page describes our vulnerability disclosure and bug bounty program, including how to report an issue, what is in scope, and the rules of engagement.
How to report
If you believe you have discovered a security vulnerability, please email us at [email protected]. To help us validate and reproduce the issue quickly, please include as much of the following information as possible:
- A clear description of the vulnerability and its potential impact;
- Step-by-step instructions to reproduce the issue;
- The affected URL, endpoint, or component;
- Any proof-of-concept code, screenshots, or logs that support your findings;
- Your name or handle if you would like to be credited.
We aim to acknowledge every report within 3 business days and to provide a resolution timeline after our initial assessment.
Scope
The following assets are in scope for this program:
- The KYCAID website and its subdomains (kycaid.com);
- The KYCAID web application and client dashboard;
- The KYCAID public API (api.kycaid.com);
- The KYCAID mobile SDKs and verification widgets.
Out of scope
The following types of findings are considered out of scope and are generally not eligible for a reward:
- Denial of Service (DoS/DDoS) attacks or volumetric testing;
- Social engineering, phishing, or physical attacks against our staff or offices;
- Reports from automated scanners without a demonstrated, exploitable impact;
- Missing security headers or best-practice recommendations without a proven vulnerability;
- Vulnerabilities in third-party services or software that we do not control.
Rules of engagement
To keep our users safe and to qualify for our program, researchers must:
- Make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services;
- Only interact with accounts you own or have explicit permission to access — never access, modify, or delete other users’ data;
- Not use, disclose, or store any personal or confidential data encountered during testing;
- Give us a reasonable amount of time to investigate and remediate an issue before disclosing it publicly;
- Comply with all applicable laws and regulations.
Safe harbor
When conducting vulnerability research in accordance with this policy, we consider your research to be authorized, and we will not pursue or support legal action against you for accidental, good-faith violations of this policy. If legal action is initiated by a third party against you in connection with activities conducted under this policy, and you have complied with it, we will take steps to make it known that your actions were conducted in compliance with this policy.
Recognition and rewards
At this time our program operates primarily as a coordinated vulnerability disclosure program. Rewards are granted at our discretion based on the severity, impact, and quality of the report. With your permission, we are happy to publicly acknowledge your contribution to the security of KYCAID.