Kagliostro
[ Trust / Disclosure ]

Found a bug? We pay for it.

We run a public bug bounty program. Safe harbor for good-faith research.

In scope

  • *.kagliostro.cloud
  • api.kagliostro.cloud
  • Mobile apps (iOS, Android) — once released

Out of scope

  • Denial-of-service, volumetric or distributed attacks
  • Social engineering of employees or customers
  • Physical attacks against Kagliostro infrastructure
  • Findings from automated scanners without proof of impact

Reward grid

  • Critical — USD 8,000 to 25,000
  • High — USD 2,500 to 8,000
  • Medium — USD 500 to 2,500
  • Low — USD 100 to 500 + Hall of Fame

How to report

Email security@kagliostro.cloud — PGP key fingerprint 9F1B 2A4D 88E2 7C0E 5511 4FBE 33CA 9971 02B7 D4A8. We acknowledge within 24h, triage within 72h.

Safe harbor

We will not initiate legal action against researchers who comply in good faith with this policy. Test against your own account when possible; never access or modify other users' data.