Kiln Web / Infra

Kiln Web / Infra

@kilnfi
Live

Maximum reward

$100,000

Severity

Max. Reward

Critical

$100,000

High

$8,000

Medium

$2,500

Low

$1,000

No deposit required

Findings submitted

14

Start date

30 Oct 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Introduction

Kiln is a staking platform that enable one to stake directly, or whitelabel staking into their product.

It allows individuals or clients to stake crypto assets, manually or programmatically, while maintaining custody of their funds in your existing solution, such as Fireblocks, Copper, or Ledger.

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by Kiln, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within the defined scope.
  • Provide sufficient information to reproduce and fix the vulnerability.
  • Not have exploited the vulnerability in any malicious manner.
  • Not have disclosed the vulnerability to third parties before receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Test methods

The following testing and reporting activities are strictly prohibited:

  • Any service not listed in the scope, such as any connected services, are excluded from scope and are not authorized for testing.
  • Destructive Testing: Any form of testing that disrupts, damages, or degrades the usability of our systems, services, or data.
  • Unauthorized Access to Data: Accessing, downloading, modifying, or deleting data from Kiln systems or services that the researcher does not own.
  • Social Engineering: Any form of testing involving deception or manipulation of our employees, contractors, or users.
  • Denial of Service: Executing any form of attack that degrades, disables, or interrupts service availability.

Other Terms

By submitting a report, you grant Kiln the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Kiln. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.