# Kryll³ Vulnerability Disclosure Policy (VDP) **Last updated:** 2 September 2025 **Contact:** [security@kryll.io](mailto:security@kryll.io) **Encryption:** If you require an encrypted channel, please email security@kryll.io requesting our temporary PGP key or an alternative secure upload link. --- ## 1. Purpose Kryll values the security of its products, services, and users. This Vulnerability Disclosure Policy (VDP) describes the rules of engagement for security researchers who wish to report vulnerabilities to us. Our aim is to provide a clear, safe, and rewarding process that helps protect the Kryll ecosystem. --- ## 2. In‑Scope Assets Only the Kryll³ following production assets are eligible for bounty consideration: | Asset | Domain / URL | |-------|--------------| | **Web application** | | | **Marketing site** | | | **Tools portal** | | Unless explicitly stated, all sub‑paths and sub‑resources under these hostnames are included. Any asset not listed above is considered out of scope. --- ## 3. Out‑of‑Scope Targets & Test Types The following are **not** eligible and testing against them is prohibited: * (Kryll legacy platform) * Denial‑of‑Service, Distributed Denial‑of‑Service (DDoS), or any resource‑exhaustion attacks * Social‑engineering, phishing, or attacks against Kryll personnel, users, or partners * Physical security testing or attempts to gain physical access to Kryll facilities * Vulnerability scans that produce excessive traffic or degrade service quality Reports that only include out‑of‑scope targets or methods will be closed as **informational** without reward. --- ## 4. Eligibility Requirements To qualify for a bounty, you **must**: 1. Adhere to this policy and act in good faith at all times. 2. Perform testing only on in‑scope assets, using methods that avoid service disruption. 3. Stop testing and notify us immediately upon finding a vulnerability or indicator of compromise. 4. Keep vulnerability details confidential until we confirm remediation or grant written permission for disclosure. 5. Provide a valid ERC‑20 wallet address capable of receiving **KRL** tokens. Researchers who are (i) residents of, or reporting from, countries under current EU, US, or UN sanctions, or (ii) on any applicable sanctions list, are **not** eligible for rewards. --- ## 5. Reporting Guidelines Send your report to **security@kryll.io** encrypted with our PGP key. Include at minimum: * A concise description of the vulnerability and its security impact. * Exact steps to reproduce (preferably in numbered form). * Proof‑of‑Concept (PoC) code or screenshots. * The affected URL(s), parameter(s), and/or API call(s). * The CVSS v3.1 base score you believe appropriate. * Your ERC‑20 wallet address to receive KRL rewards. ### 5.1 Report Quality High‑quality, well‑structured, and easily reproducible reports accelerate triage and increase the likelihood of higher rewards. --- ## 6. Reward Structure (Paid in KRL) Rewards are issued **solely** in KRL tokens. Amounts may fluctuate with market price and are subject to change at Kryll’s discretion. | CVSS v3.1 Severity | KRL Tokens (≈ USD, guidance) | Example Findings | |--------------------|------------------------------|------------------| | **Critical** (9.0–10.0) P1 | ~ 2 000 - 4 000 USD in KRL | Remote Code Execution, private‑key disclosure, authentication bypass with full account takeover | | **High** (7.0–8.9) P2 | ~ 500 - 2 000 USD in KRL | Privilege escalation, significant information disclosure, stored XSS affecting all users | | **Medium** (4.0–6.9) P3 | ~ 200 - 500 USD in KRL | Reflected XSS, CSRF with meaningful impact, sub‑domain takeover without PII exposure | | **Low** (1.5–3.9) P4 | ~ 25 - 200 USD in KRL | Clickjacking, missing security headers, best‑practice weaknesses with meaningful impact or direct exploit | | **Informational** (0.1–1.5) P5 | Appreciation only (no guaranteed reward) | Non‑exploitable best‑practice improvements, typos, missing security headers without impact | Rewards for duplicate reports are granted to the first researcher who submitted a reproducible report. --- ## 7. Response Targets (SLA) | Stage | Target Time | Notes | |-------|-------------|-------| | **Triage** | 7 business days | Confirmation that the report has been received and is under review | | **First Response** | 15 business days | Communication of preliminary assessment and next steps | | **Fix Deployment** | 90 days (goal) | May vary depending on complexity and business risk | | **Reward Issuance** | After fix deployment **and** validation by the reporting researcher | Paid in KRL to the wallet provided | We strive to keep you informed of progress at least every 30 days until closure. --- ## 8. Confidentiality & Disclosure All submitted reports are considered **confidential information**. Public disclosure, write‑ups, blog posts, or media statements are **prohibited** without prior written consent from Kryll. We maintain a public **Hall of Fame** to recognize researchers who assist us. --- ## 9. Safe Harbor Kryll will not initiate civil or criminal action, nor pursue law‑enforcement referral, against researchers who: * Comply with this policy and any related laws; * Act in good faith to avoid privacy violations, service degradation, or data destruction; and * Report vulnerabilities promptly and confidentially. If at any time you are uncertain whether your actions are permissible, **stop testing** and contact us. --- ## 10. Legal & Tax Considerations * Rewards may be subject to taxation in your jurisdiction. You are solely responsible for any tax obligations. * Rewards cannot be paid to individuals or entities located in—or acting on behalf of—a jurisdiction subject to EU, US, or UN economic sanctions. * Participation in this program does not create any employment relationship or confer any rights beyond those expressly stated herein. --- ## 11. Version Information | Version | Date | Change Summary | |---------|------|----------------| | **v1.0** | 1 August 2025 | Initial release | --- Thank you for helping us keep Kryll and its users secure.