Kenna Security

  • $50 – $4,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

101 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$350 average payout (last 3 months)

Latest hall of famers

Recently joined this program

775 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About Our Platform

Kenna Security is a leader in risk-based vulnerability management. The Kenna Security Platform enables organizations to measure, prioritize, and predict cyber risk. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security and IT operations teams on what matters most.

Special Holiday Bonus!

Considering joining or re-engaging on our bug bounty program?

From now until January 8th, 2021, Kenna Security will be offering a **50% bonus on any submissions with a severity level of P1 or P2

  • This is a limited-time bonus, so make sure you submit before 2021-01-08
  • Unique and critical level findings will be considered for additional bonuses

Reward range

Last updated

Technical severity Reward range
p1 Critical $3,000 - $4,500
p2 Severe $1,500 - $1,750
p3 Moderate $150 - $300
p4 Low $50 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
https://[your-subdomain] Website Testing
  • Website Testing Website Testing
  • Website Testing API Testing
  • API Testing
  • HTTP
Any Host Verified To Be Owned By Kenna (Domains/IP space/etc.) Other

Out of scope

Target name Type
Any Kenna Security Platform Subdomain Not Created By You Website Testing

Researcher Platform Sign-Up:

Older instances hosted on will be disabled on August 1st, 2020. Please create a new instance on before that date.

Focus Areas:

  • Authentication and Authorization weaknesses.
  • Cross-account data leakage or unauthorized access
  • Stored/Reflected/DOM-based Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Server-side Remote Code Execution (RCE)
  • Server-side Request Forgery (SSRF)
  • Broken access controls (insecure direct object references, etc.)

Out Of Scope:

  • Any testing/submissions against Kenna Security customer subdomains is strictly prohibited, not eligible for a reward.
  • Distributed Denial of Service and Application Level Denial of Service Attacks.
  • Accessible Non-sensitive files and directories (e.g., README.TXT, CHANGES.TXT, robots.txt, gitignore, etc.).
  • Social engineering/phishing attacks.
  • Self XSS.
  • Text injection.
  • Email spoofing (including lack of SPF, DKIM, From: spoofing, and visually similar, and related issues).
  • Descriptive error messages (e.g., stack traces, application or server errors, path disclosure).
  • Clickjacking and issues only exploitable through clickjacking. CSRF issues that don't impact the integrity of an account (e.g., login or out, contact forms and other publicly accessible forms) Lack of Secure and HTTPOnly cookie flags
  • Missing HTTP security headers.
  • TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates.
  • Out-of-date software.

Third-Party Bugs

If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Kenna Security reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

Coordinated Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following guidelines:

Coordinated Disclosure Guidelines

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not modify or access data that does not belong to you.
  • Give Kenna Security a reasonable time to correct the issue before requesting an update or taking any additional action.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.