Security

KittyCAD is built with security in mind from the ground up. We care deeply about the security of our product and our customer's information.

The below information is meant for any security researcher who might find a vulnerability in the security of our product.

Bounties

We will pay bounties for the following types of vulnerabilities if a reasearcher can show a proof of concept that does the following:

  • Obtaining write access to any of our code source repositories.
  • Obtaining read access to any of our private source code repositories.
  • Obtaining access to our private network/infrastructure.
  • Obtaining access to our databases.
  • Obtaining access to corporate systems (email, drive, etc).
  • Obtaining access to any customer data and accounts. This includes customers API Keys, billing information etc.

We will not pay for the following:

  • DoS attacks
  • Phishing attacks
  • Any script kitty (no pun intended) off-the-shelf script that does not prove one of the following vulnerabilities above.

Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of live user production services. Only interact with accounts you own or with the explicit permission of the account holder.
  • Please limit security scanner QPS against KittyCAD domains to 5 QPS

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in KittyCAD.
  • You are unsure how a vulnerability affects KittyCAD.

When Should I NOT Report a Vulnerability?

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of KittyCAD and adjustments to the qualified vulnerabilities mentioned above.

Contact information

If you have found a security vulnerability or something you think is an exception to the above, please email security@kittycad.io with your concern.

We’re incredibly grateful for security researchers and users that report vulnerabilities to us. All reports are thoroughly investigated.