Bug Bounty Programme

Kalipso values the work of security researchers who help keep our platform and users safe. This page defines the scope, rules, and process for responsible disclosure.

Eligibility

To qualify for a reward, a report must meet all five of the following criteria:

  1. 1.Demonstrated, exploitable vulnerability specific to Kalipso. The report must include a proof of concept that has been successfully executed against Kalipso systems — not a generic description of a vulnerability class or a theoretical scenario. Showing that a vulnerability type exists in general is not sufficient. You must demonstrate that it works against our implementation, with evidence.
  2. 2.Direct security impact. The vulnerability must pose a concrete risk to the confidentiality, integrity, or availability of Kalipso systems or user data. Informational findings with no demonstrated impact do not qualify.
  3. 3.Original, human-written report. The report must be written by the researcher who discovered the vulnerability. AI-generated, templated, or auto-submitted reports will be rejected without review.
  4. 4.First report of the issue. Duplicate reports of a previously submitted or already-known vulnerability do not qualify.
  5. 5.Responsible disclosure. The researcher must not disclose the vulnerability to any third party before Kalipso has had a reasonable period to remediate.

Scope

In scope

  • Authentication or authorisation bypass leading to unauthorised data access
  • SQL injection, remote code execution, or SSRF on critical production endpoints
  • XSS that can exfiltrate session tokens or sensitive data
  • Exposure of sensitive user data or credentials
  • Business logic flaws with verifiable unauthorised impact

Target: Critical endpoints on kalipso.ai only. All other domains and subdomains are out of scope.

Out of scope

  • Endpoints exposing no sensitive data, regardless of accessibility
  • Generic findings based on technology presence without demonstrated exploitation
  • Misconfiguration with no exploitable impact (verbose errors, missing headers, defaults)
  • Self-XSS, logout CSRF, or issues requiring unreasonable victim actions
  • Rate limiting or brute force on non-sensitive endpoints
  • Social engineering, phishing, or physical attacks
  • Denial of service (DoS/DDoS)
  • Vulnerabilities in third-party services, providers, or infrastructure not built and operated by Kalipso — including but not limited to authentication providers, identity platforms, login/logout pages, SSO flows, and hosted services. If the vulnerability is in a third-party component, report it to that provider directly
  • SSL/TLS, SPF/DKIM/DMARC, or infrastructure hardening suggestions

Automatic rejection

Reports will be rejected without review if any of the following apply:

AI-generated or templated reports

If the report was generated by an AI tool, vulnerability scanner, or copied from a template without analysis specific to Kalipso, it will be rejected. We can tell.

Repeated submissions or follow-up pressure

Submitting the same finding multiple times or sending follow-up emails requesting payment before the review period has elapsed will result in rejection and exclusion from the programme.

No proof of concept against Kalipso

A report describing a generic vulnerability class or a theoretical attack without a working proof of concept executed against Kalipso systems will not be reviewed. A CVE reference or a description of how something could work in theory is not a valid report.

Automated scanner output

Pasting the output of Burp, Nuclei, Nessus, or similar tools without manual validation and demonstrated impact does not constitute a valid report.

Responsible disclosure guidelines

  • Report vulnerabilities to security@kalipso.ai as soon as they are discovered
  • Provide sufficient detail to reproduce the issue, including steps, screenshots, and proof-of-concept code
  • Do not access, modify, or delete data belonging to other users under any circumstances
  • Do not perform actions that could harm users, degrade services, or disrupt operations
  • Allow a minimum of 90 days for remediation before any public disclosure
  • Do not discuss the vulnerability publicly or with any third party until Kalipso has confirmed remediation

Rewards

Rewards are determined at Kalipso's sole discretion based on:

Severity

Actual risk to Kalipso or its users

Impact

Number of users or systems affected

Report quality

Clarity, reproducibility, documentation

Exploitability

Can it be exploited without unreasonable preconditions?

Not all valid reports will receive a monetary reward. Low-severity, informational, or no-impact findings will generally receive acknowledgment only. Kalipso reserves the right to determine whether a report qualifies and the amount of any reward.

How to report

Send your report to security@kalipso.ai including:

  • A clear description of the vulnerability
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, video, or code)
  • Your assessment of the potential impact
  • The affected URL(s) or endpoint(s)

We aim to acknowledge receipt within 5 business days and provide an initial assessment within 15 business days. Do not send follow-up emails before this period has elapsed.

Legal safe harbour

Kalipso will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this programme's rules. This safe harbour does not extend to activities that violate applicable law, cause harm to Kalipso users, or fall outside the defined scope.

Kalipso reserves the right to modify, suspend, or terminate this programme at any time without prior notice. Participation does not create an employment or contractor relationship.

Last updated: April 2026