Kyivstar is the largest Ukrainian telecommunication operator providing communications and data services based on a broad range of mobile and fixed-line technologies, including 4G. Company's customer base amounts to over 26 million in mobile and over 800 thousand in broadband Internet.
Kyivstar values engaging third-party researchers to improve our products making them safer and more reliable. We understand our responsibility to provide our customers with quality services and we constantly improve the protection of personal data of our subscribers. Moreover, Kyivstar strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. Our goal with the Bug Bounty program is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in Kyivstar’s resources and connected services.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
When submitting an issue, please be sure to include the following: browser, browser version, URL, steps to reproduce, etc.
[rewards for this program vary based on the target, please review below for more info]
|Severity||Mobile Apps||Web Apps|
|P1||$2000 - $3000||$1000 - $1500|
|P2||$1400 - $1800||$700 - $900|
|P3||$400 - $800||$200 - $400|
|P4||$100 - $200||$100|
|P5||no reward||no reward|
1 Bug, 1 Reward
If a single submitted vulnerability has a widespread effect on multiple separate services or features, the issue is only eligible for a single reward. The first valid vulnerability will be rewarded.
Regarding review and reward
Kyivstar will pay a submission's bounty after the vulnerability has been reviewed by the Kyivstar team. Please be aware that Kyivstar will work to review and reward issues as quickly as possible; to this end, it's worth noting that on average, this could be anywhere between 1-6 business days after the issue has been triaged by Bugcrowd.
The following finding types are specifically excluded from the bounty:
- Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site.
- Text injection.
- Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues).
- Clickjacking and issues only exploitable through clickjacking.
- Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
- Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
- Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
- No Captcha or rate limit on Login Page.
- Denial of Service attacks.
- Misconfigured DNS issues.
We will not fix any P4 issues on community.kyivstar.ua
Out of scope
Any domain/property of Kyivstar not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Credentials | Access:
All of the in-scope targets are publicly accessible, and researchers are free to test using any accounts they're able to self-provision or already have access to. A couple of apps have credentials you can request (read the section below for more info). In particular, Ukranian and researchers from neighboring countries are highly encouraged to participate in this program.
Regarding requesting credentials:
Each requesting researcher will be given one test account. Please follow the guide below to obtain credentials.
- To request creds for the program, first log into your Bugcrowd researcher account.
Current Researchers can log in here: https://bugcrowd.com/user/sign_in.
New researchers can sign up here: https://bugcrowd.com/user/sign_up.
Once signed in, please email email@example.com to request credentials using the subject line
@@@@Kyivstar Credential Request@@@@
You will be provided a unique, working credential for My Kyivstar as soon as we're able to provision it. That said, please allow roughly 24 business hours for creds to be provided (and be aware that Bugcrowd operates out of the PST timezone).
Kyivstar Official Marketing Website
- https://kyivstar.ua (web)
Kyivstar E-shop Website
- https://shop.kyivstar.ua (web)
Apps of My Kyivstar:
- My Kyivstar web & mobile applications.
- Money Kyivstar service.
Responsible Disclosure Guidelines:
We will investigate legitimate reports and make every effort to correct any valid vulnerabilities as quickly as possible. In the spirit of encouraging responsible disclosure and reporting we ask you to follow these Responsible Disclosure Guidelines:
- Provide full details of the vulnerability, including information needed to reproduce and validate the issue by producing Proof of Concept (code, technical demos of vulnerability, or necessary steps needed to demonstrate your finding).
- Provide details about expectable influence of vulnerability on system where you found it.
- Avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Your Proof of Concept should not trigger Denial of Service on our Target or any noticeable slowdown of its performance.
- Do not modify, access, or retain data that does not belong to you.
- The submitting researcher may not be the author of the code containing the submitted vulnerability.
- The submitting researcher may not employed by Kyivstar (directly or indirectly) currently or within the past 3 years.
- The submitting researcher may not be Vendor of Kyivstar currently or within the past 3 years.
- Vulnerabilities which are disclosed to any party other than Kyivstar, including vulnerability brokers, will not qualify for Bug Bounty reward. This includes both full public disclosure and limited private release. Disclosure of any kind must be approved in writing by Kyivstar prior to release.