Kiln Web / Infra

The following hostnames are included in the scope:

• kiln.fi
• dashboard.kiln.fi
• gateway.kiln.fi
• ledger-live-app.kiln.fi
• ledger-vault-gateway.kiln.fi
• vault.kiln.fi
• sqlpad.kiln.fi
• api.kiln.fi
• stake.kiln.fi
• widget.kiln.fi
• *.thegraph.kiln.fi
• https://eth.minitel.app/
• https://sol.minitel.app/
• *.minitel.app

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Severity examples and Reward rules:

• Critical with Fund Loss

  • Bounty: 10% of the funds directly affected (up to a maximum of $100,000).
  • Major fund loss through any means.

• Critical

  • Bounty: Up to $20,000.
  • Remote access to execute arbitrary code on the server, leading to full control of server operations.
  • SQL injection resulting in full database compromise, unauthorized data manipulation, or leakage.
  • Exploiting misconfigured IAM policies to gain unauthorized access to cloud infrastructure (e.g., virtual machines, storage buckets).

• High

  • Significant broken authentication or session hijacking.
  • Privilege escalation affecting critical functionality.

• Medium

  • Access control bypass.
  • Privilege escalation.
  • Reflective or stored XSS.
  • CSRF, open URL redirection, directory traversal.
  • Subdomain takeover of in-scope domains.

• Low

  • Sensitive information leakage (excluding metrics).
  • Incorrect API access controls.

Duplicate reports will not be rewarded. If multiple researchers report the same issue, we will reward only the first valid submission based on the time of receipt. However, we encourage researchers to include detailed PoCs and exploitation scenarios to help distinguish their reports.

The aggregate, maximum amount of Payouts for Kiln Web / Infra Bounty program is $500,000. All Payout amounts will be calculated based on the order in which the submission was received. The Program will be updated as appropriate to provide updates on Payout eligibility and amounts.

Note: Actual reward amounts are determined at Kiln’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.