What reports and vulnerabilities are accepted

Priority

• Remote Code Execution (RCE);
• Injections (SQL, XML, SSTI, etc.);
• Reading or writing arbitrary files (LFI, RFI);
• SSRF (with demonstration of real impact);
• Access control vulnerabilities (IDOR, vertical/horizontal escalation);
• Authentication and authorization deficiencies;
• Business logic errors allowing bypass of financial/functional restrictions;
• Disclosure of sensitive or confidential information;
• Other vulnerabilities capable of affecting platform/data operation or security.

Special attention

Program scope

Web console for managing cloud resources

• console.k2.cloud

Cloud platform service domains

• autoscaling.ru-msk.k2.cloud
• autoscaling.ru-spb.k2.cloud
• backup.ru-msk.k2.cloud
• backup.ru-spb.k2.cloud
• cloudtrail.ru-msk.k2.cloud
• cloudtrail.ru-spb.k2.cloud
• cloudwatch.ru-msk.k2.cloud
• cloudwatch.ru-spb.k2.cloud
• directconnect.ru-msk.k2.cloud
• directconnect.ru-spb.k2.cloud
• ec2.ru-msk.k2.cloud
• ec2.ru-spb.k2.cloud
• efs.ru-msk.k2.cloud
• efs.ru-spb.k2.cloud
• eks.ru-msk.k2.cloud
• eks.ru-spb.k2.cloud
• elb.ru-msk.k2.cloud
• elb.ru-spb.k2.cloud
• ext.ru-msk.k2.cloud
• ext.ru-spb.k2.cloud
• iam.k2.cloud
• paas.ru-msk.k2.cloud
• paas.ru-spb.k2.cloud
• primary.k2.cloud
• route53.k2.cloud
• ru-msk.console.k2.cloud
• ru-spb.console.k2.cloud
• s3.ru-msk.k2.cloud
• s3.ru-spb.k2.cloud

What is not accepted within the program

Findings without practical value

• automated reports from scanners and other tools, if no proof of manual vulnerability exploitation is provided;
• disclosure of non-confidential or publicly available information: software version, username, public profiles, image metadata, technical headers and parameters;
• messages about best-practices non-compliance (e.g., absence of certain HTTP headers or CSP/DMARC/SPF/DNSSEC settings) are not accepted as standalone vulnerabilities unless real security impact is demonstrated (e.g., possibility of clickjacking attack, email spoofing, etc.);
• messages about open ports, IP addresses, DNS records without practical exploit;
• vulnerabilities related only to product/protocol version (e.g., "OpenSSL X.Y.Z is used"), without real exploitation scenario;
• reports about "logical" or "UI" errors without security impact.

Theoretical or impractical vulnerabilities

• Blind SSRF and open redirects if security impact is not demonstrated or possibility of exploitation for access to sensitive data is not shown;
• theoretical attacks not confirmed by practical Proof of Concept;
• problems related to demo stands, test environments, training domains and services if there is no threat to main infrastructure.

Methods excluded from the program

• attacks affecting service availability (DoS, flood, spam, brute-force, performance tests, resource exhaustion);
• social engineering attacks (phishing, interaction with customers, partners or company employees);
• vulnerabilities requiring physical access, modified or compromised devices, etc.

Other exclusions

• vulnerabilities in third-party services, client projects or external integrations that do not affect K2 Cloud platform security and its users
• problems related to absence of obfuscation or code reversal possibility without confirmed security impact;
• errors discovered by current or former company employees (within a year after dismissal);
• information obtained from public buckets in K2 Cloud.

Testing rules and ethics

Test responsibly

• use only your accounts or specially allocated test accounts;
• do not disrupt service operation, do not delete or modify other users' data;
• avoid actions that may lead to data loss, impact on other users or customers;
• do not do actions that may affect service availability for customers (DoS, flood, brute-force, etc.);
• do not use automated scanning tools with high intensity.

Prohibited

• researching vulnerabilities in K2 Cloud customer infrastructures (often these are addresses like *.elastic.k2.cloud);
• social engineering: phishing, spam, attempts to gain access through customers, partners or company employees;
• physical impact on equipment, offices, data centers and other company facilities;
• publishing or disclosing vulnerability information before they are fixed and without written consent from K2 Cloud;
• using discovered vulnerabilities for personal gain or bypassing tariff limitations.

Restrictions on especially sensitive categories

• to confirm vulnerabilities like RCE, SQL injections, LFI/RFI, SSRF and other potentially dangerous bugs, use the minimal impact and safe exploits for Proof of Concept (e.g., sleep, reading /etc/passwd, request demonstration);
• for dangerous operations (privilege escalation, infrastructure interference) - coordinate actions with the K2 Cloud security team before testing at bugbounty@k2.cloud.

Maintain confidentiality

• all information about discovered vulnerabilities must remain between the researcher and K2 Cloud security team until written permission for publication is obtained.

Participation principles

• follow ethics and laws - your actions must comply with information security rules and applicable legislation;
• follow program conditions - review the rules before starting testing;
• respect team decisions - if you disagree, justify your position and provide evidence, we are open to dialogue;
• the final reward decision is made by the K2 Cloud team.

Report formatting requirements

• Vulnerability name and description
• Category
• CVE (if available)
• Criticality level analysis according to CVSS v3.1
• Address (or component) of the affected service
• Step-by-step exploitation scenario description:
  • how the vulnerability was discovered;
  • what actions, parameters or conditions are needed for reproduction;
  • who and how can exploit the vulnerability.
• Technical Proof of Concept (PoC):
  • request/response examples, commands, scripts;
  • screenshots, video - if this helps verify the vulnerability (links to external sources are prohibited);
  • testing date and time.
• Impact assessment:
  • what data, services, users or infrastructure may be affected.
• Remediation recommendations
• Your K2 Cloud account login (if used)

Each report should describe one vulnerability. If the exploit is built on a chain of vulnerabilities, you may include them in one report. In this case, the description must be made as clear as possible and all required information for each vulnerability must be indicated in the report.
Screen recording and screenshots are welcome but do not replace detailed textual description and PoC.
Reports without necessary data for reproduction may be returned for revision.

Report processing and rewards

Review process

• All reports are checked by the K2 Cloud security team.
• We usually provide the first response within 5 business days.
• Full report review, validity determination and criticality level assessment usually takes up to 14 business days.
• The decision on vulnerability seriousness, need for remediation and reward amount is made individually, considering: technical novelty, real impact level, exploitation complexity, affected services, potential mass impact and other factors.
• Rewards are paid only for the first valid reports on a specific vulnerability (duplicates are not paid).
• Vulnerabilities without confirmed security impact or with theoretical scenarios may be recognized as informative and remain unpaid.
• The reward amount is determined individually and depends on vulnerability seriousness and its security impact.
• Reward amount determination is carried out within 30 calendar days after vulnerability validity confirmation and final report status establishment.
• In exceptional cases, review or payment timeframes may be increased, but in such cases we will definitely notify the researcher about reasons and estimated timelines.

Reward amounts

How we determine criticality and reward amount

• how the vulnerability can affect user data and their availability;
• scale of the problem: does it affect one customer, a separate service, or infrastructure as a whole;
• level of preparation and conditions required for an attacker to exploit (e.g., presence of special rights or chains of multiple bugs);
• probability of discovery and attack repetition by other researchers or attackers;
• need for end-user involvement or possibility to automate the attack;
• possible business consequences, including reputational risks and customer trust.

How criticality relates to payouts

• vulnerabilities with limited impact receive rewards closer to the lower range boundary;
• more serious problems that may affect multiple services or users are assessed in the middle of the range;
• the most dangerous cases (mass impact, critical business or customer damage) are rewarded closer to the upper range boundary.

For some categories (e.g., XSS or CSRF) maximum impact is usually limited to the scope of a single user or session. In such cases, rewards are distributed within low and medium criticality levels, and the upper range limit applies only in the presence of truly non-standard impact (e.g., XSS in admin panel, bypass of protective mechanisms, or using XSS as part of a chain for a more serious attack).

Duplicate handling rules

Technical details and support

Access to K2 Cloud

1. Write to bugbounty@k2.cloud.
2. In the email, provide a link to your confirmed profile on the Standoff365 platform.
3. We will provide access and necessary consultations.

Contacting the team

Updating and changing rules

Let's make K2 Cloud safer together