Bug Bounties

Kiwi.com

Powered by: 

Allows bounty splitting: 

Average time to first program response: 9

Average time to bounty awarded null: 45

Average time to report resolved: 1159

Handle kiwicom

Managed program: true

Name: Kiwi.com

Offers bounties: true

Offers swag: true

Response efficiency percentage: 99

Submission state: open

Url: https://hackerone.com/kiwicom

Website: https://www.kiwi.com

In scope:

  • Asset identifier: *.kiwi.com
  • Asset type: URL
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Mostly branded versions of our main www.kiwi.com site, please report vulnerabilities only for www.kiwi.com and don't duplicate it here.
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: *.skypicker.com
  • Asset type: URL
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: APIs & internal tools.
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: auth.skypicker.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Authentication API used on www.kiwi.com.
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.skypicker.Skypicker
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: **Primary target** - Available in [App Store](https://itunes.apple.com/bs/app/kiwi-com-cheap-flight-tickets/id657843853)
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.skypicker.main
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: **Primary target** - Available in the [Play Store](https://play.google.com/store/apps/details?id=com.skypicker.main)
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: https://github.com/kiwicom/*
  • Asset type: SOURCE_CODE
  • Availability requirement: medium
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Note that archived projects are out of scope.
  • Integrity requirements: low
  • Max severity: high



  • Asset identifier: jobs.kiwi.com
  • Asset type: URL
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Hiring page, no sensitive information, likely no impact on our company.
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: tequila.kiwi.com
  • Asset type: URL
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: B2B platform. Backend API requests are proxied via **tequila-api.kiwi.com** & **api.tequila.kiwi.com**
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: www.kiwi.com
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Our main website
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: www.kiwi.com/stories
  • Asset type: URL
  • Availability requirement: medium
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Online travel magazine Kiwi.com Stories, with very limited impact on our sites & infrastructure.
  • Integrity requirements: low
  • Max severity: high