Keasy Bug Bounty Program

1. Introduction

At Keasy Inc., we value the security of our customers, users and their data. We believe in the power of a collaborative security community and welcome responsible disclosures from independent security researchers. If you believe you have discovered a security vulnerability in one of our products, please report it to us, and we will work with you to resolve it.

This program provides clear guidelines for conducting security research and submitting vulnerabilities. Researchers who follow these guidelines will receive a reward and our sincere thanks.

2. Scope

The following domains and applications are in-scope for this program:

  • *.keasy.com
  • www.keasy.com
  • The Keasy Application (app.keasy.com)

The following assets are explicitly out-of-scope:

  • Vulnerabilities in third-party services that do not directly affect Keasy’s systems.
  • Physical attacks on Keasy Inc. offices or data centers.
  • Vulnerabilities found through automated scanning tools without a manually verified proof of concept.
  • Social engineering attacks against Keasy employees, partners or contractors.

3. Vulnerability Eligibility and Rewards

Keasy Inc. will reward eligible vulnerability submissions based on severity, which will be determined using the CVSS (Common Vulnerability Scoring System reviewable at https://www.first.org/cvss/v4-0/specification-document). Rewards may vary depending on the complexity of the issue and the impact on our systems.

Reward Tiers (Monetary bounties will vary based on severity):

  • Critical: Remote code execution (RCE), SQL injection resulting in data exfiltration.
  • High: Cross-site scripting (XSS) on critical, authenticated pages; significant data leakage.
  • Medium: Stored XSS on non-critical, authenticated pages; certain CSRF vulnerabilities.
  • Low: Reflected XSS on non-critical pages; information disclosure with limited impact.
  • Informational: Non-exploitable vulnerabilities, best practice recommendations.

Vulnerabilities that do not qualify for a reward include:

  • Attacks requiring physical access to a user’s device.
  • Missing security headers that do not demonstrate a direct security impact.
  • Denial-of-Service (DoS) attacks.
  • Vulnerabilities found on out-of-scope assets.
  • Theoretical or non-exploitable vulnerabilities.

4. Guidelines and Rules

To ensure a safe and effective program, all researchers must adhere to the following rules:

  • Do not violate privacy: Only interact with your own data or test accounts.
  • Do not disrupt services: Avoid any action that could degrade the user experience or disrupt production systems.
  • Limit exploitation: Only exploit vulnerabilities to the extent necessary to confirm their presence. Do not exfiltrate data.
  • No public disclosure: Do not publicly disclose any vulnerability until Keasy Inc. has had a reasonable amount of time to resolve it.
  • Follow the law: All research must be conducted in compliance with all applicable local, state, and federal laws.

5. Reporting a Vulnerability

To submit a vulnerability, please send a detailed report to security@keasy.com with the following information:

  • A clear and concise title describing the issue.
  • A detailed description of the vulnerability.
  • Steps to reproduce the vulnerability, including URLs, tools, and test accounts.
  • Evidence of exploitation, such as screenshots or a video.
  • Potential impact of the vulnerability.

6. Safe Harbor

Keasy Inc. is committed to protecting security researchers who follow the rules of this program. We will not initiate legal action against you or ask law enforcement to investigate you, provided you:

  • Play by the rules of this policy.
  • Report the vulnerability directly to us and not disclose it publicly before we have had a chance to remediate.
  • Avoid violating the privacy of our users.
  • Do not disrupt or degrade our systems.

7. Legal Information

This bug bounty program is not an employment contract or a promise of compensation. Any rewards offered are purely discretionary and subject to Keasy Inc.’s final decision. Keasy Inc. reserves the right to terminate or modify this program at any time without prior notice.  All monetary rewards offered are at Keasy’s sole discretion and shall be paid out via United States based banks in U.S. dollars only.  Keasy does not offer payment for Bug Bounty in alternative currencies such as cryptocurrency, non-US currency, reward cards, hard goods etc.

By submitting a report, you agree to these terms.

To submit a report with the above format and information email: bugbounty at keasy d0t us

Publication Date: 9-8-2025