Security vulnerability reward program

Komoot rewards the effort of security researchers who help us to make our platform more secure. We offer rewards for finding security vulnerabilities in our website, mobile applications and backend infrastructure.

How to submit your report

Please submit your PGP encrypted report via email to security@komoot.com. Use our public PGP key to encrypt your report. Only encrypted reports with [BUG BOUNTY] in the email subject will be considered.

Eligible for bounty rewards

We reward submissions of vulnerabilities for the following systems:

Our website on komoot.com, account.komoot.com (and its language domains komoot.de/fr/it/etc.). This also includes subdomains like account.komoot.com, but not blog.komoot.com/de/fr/it/... or *tile.komoot.* or *thunderforest.komoot.* . Note that some integrations are run by 3rd parties so we might delegate your submission to our partners.

Our mobile apps including Android, iOS, Garmin and Samsung Watch.

Our oauth2 integration for 3rd parties.

Our backend APIs on *.komoot.net and *.komoot.de.

Our AWS infrastructure including access to AWS APIs with vulnerable permissions or network access to our VPCs.

Our DNS configuration.

Our email system.

Out of scope for bug bounties are currently

The SPF email configuration.

The password/email change/reset handling and the facebook login. Also our password policy is out of scope.

Password confirmation for account actions, for example delete.

Spam or social engineering techniques.

Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution).

Accessing photos via raw image URLs from our CDN. Also accessing cached images after account deletion.

Information disclosure of the used software or their versions.

Clickjacking attacks unless they clearly modify of exfiltrate protected user data.

Our wordpress instances.

Missing CAA records, missing HSTS header or "weak" TLS/SSL ciphers.

Bruteforcing the Gift/Voucher system.

Public API Endpoints like Mapbox and GeoIP.

Only vulnerabilities that haven’t been disclosed to the public before we fixed the bug are eligible for a reward.

Do not subject our APIs or websites to denial-of-service attacks, scraping, brute force, or other types of automated attacks. Do not try to get access to data of real customers. Use your own test accounts for a proof-of-concept.

Our bounty rewards and response SLAs

Our rewards are based on severity per CVSS v3.1 Ratings. In the event of duplicate reports, we award a bounty to the first person to submit an issue. For a critical severity you additionally need to demonstrate that your attack could compromise the confidentiality or integrity of all komoot users without any user interaction needed.

Critical

5.000 USD

High

500 USD

Medium

200 USD

Low

100 USD

We aim at an initial response time of 7 days. You should expect a payment for confirmed vulnerabilities within four weeks.

Photo by Tobias