Kledo Bug Bounty Program

Kledo is committed to resolving any security issues that may jeopardize the safety of our products and services as quickly as possible. We take security vulnerabilities very seriously, and protecting client data is one of our top priorities.

If you have discovered a vulnerability or security flaw, we would greatly appreciate it if you could keep your findings confidential and disclose relevant information to us in a responsible manner, as outlined below.

How to Report Security Vulnerabilities?

If you believe you have found a vulnerability or security gap in Kledo’s products, services, or online platform, please contact us immediately via the email provided below:

[email protected]

What Should Be Included in the Report?

Please provide as much detailed information as possible. Specifically, we appreciate the following:

A description of the security vulnerability

A list of products and services that may be affected (including version, if applicable)

Steps to reproduce the vulnerability

Proof-of-Concept code or software

Test accounts you have created

URLs, IP addresses, or infrastructure related to the vulnerability (if relevant)

Your contact information, such as your organization and a contact person for communication purposes

Scope

Out-of-Scope Activities

Kledo considers the following activities as potentially harmful to the platform or not helpful in securing our environment or applications:

Social Engineering, Including Phishing

Network DoS dan DDoS

Brute-force Attacks

Physical Attacks

Any actions that alter or damage data

Types of Out-of-Scope Vulnerabilities

Kledo considers the following vulnerability classes as out-of-scope:

Missing web security headers
Phishing-related issues, such as tabnabbing
Email server misconfigurations (SPF, DKIM, DMARC)
Absence of CSRF on logout button
Missing CSP security headers and X-frame bypass
Cookie flags security issues
Wide SSL certificate scope
Weak SSL ciphers / Insufficient TLS versions enabled
Email template injection
Results from automated tooling
Broken links and/or redirects
Internal IP address disclosure
Minor infrastructure detail disclosure without significant impact
Verbose error messages without significant impact
Insecure HTTP request methods
Issues related to unsupported browser versions
Problems with robots.txt

Next Steps

1 Please keep your findings confidential and do not publish them until we have completed our investigation and implemented patches or other mitigations.
2 The Kledo security team will try to contact you within 72 hours of receiving your security vulnerability report and provide you with updates on our progress in resolving the issue.
3 We will notify you once our security team has patched or mitigated the vulnerability, and we will add your name to our thank-you page on this page if it’s a valid high or critical vulnerability.

Rules Of Engagement

Please ensure you do not:

Exploit the security vulnerability
Access, delete, or modify Kledo or client data
Disclose the vulnerability to the public until it’s resolved
Download more data than necessary to demonstrate the vulnerability
Attempt to hack client accounts
Use Social Engineering, Denial of Service, or Phishing attacks

Reward Policy

Kledo does not offer a fixed compensation for disclosing vulnerabilities in our system. However, all efforts to help make Kledo more secure will be appreciated, and you will receive appropriate recognition, especially for high-impact or quality submissions.

Acknowledgments to Security Researchers

Kledo thanks all security researchers and professionals who have helped improve the security of Kledo’s products and services through responsible disclosure programs.

Top 10 Names  Bug Hunter Kledo

Ranking	Nick Name	Points
#1	C Cadbudsad	30 pts
#2	J John Balfess	25 pts
#3	A Alfath Marchdika Cahyatullah	20 pts
#4	F Farelino Pairuz Ikhwansyah	10 pts
#5	M Muhammad Rizky Firdaus	10 pts