Kyivstar is the largest Ukrainian telecommunication operator providing communications and data services based on a broad range of mobile and fixed- line technologies, including 4G. Company's customer base amounts to over 26 million in mobile and over 800 thousand in broadband Internet.
Kyivstar values engaging third-party researchers to improve our products making them safer and more reliable. We understand our responsibility to provide our customers with quality services and we constantly improve the protection of personal data of our subscribers. Moreover, Kyivstar strives to keep abreast on the latest state-of-the-art security developments by working with security researchers. Our goal with the Bug Bounty program is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in Kyivstar’s resources and connected services.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
When submitting an issue, please be sure to include the following: browser, browser version, URL, steps to reproduce, etc.
[rewards for this program vary based on the target, please review below for more info]
Severity | Mobile Apps | Web Apps
P1 | $2000 - $3000 | $2100 - $2500
P2 | $1400 - $1800 | $1200 - $1500
P3 | $500 - $800 | $500 - $750
P4 | $150 - $200 | $150 - $200
P5 | no reward | no reward
If a single submitted vulnerability has a widespread effect on multiple separate services or features, the issue is only eligible for a single reward. The first valid vulnerability will be rewarded.
Kyivstar will pay a submission's bounty after the vulnerability has been reviewed by the Kyivstar team. Please be aware that Kyivstar will work to review and reward issues as quickly as possible; to this end, it's worth noting that on average, this could be anywhere between 1-6 business days after the issue has been triaged by Bugcrowd.
We will not fix any P4 issues on community.kyivstar.ua
My Kyivstar iOS Mobile Application
My Kyivstar Android Mobile Application
Any domain/property of Kyivstar not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
All of the in-scope targets are publicly accessible, and researchers are free to test using any accounts they're able to self-provision or already have access to. A couple of apps have credentials you can request (read the section below for more info). In particular, Ukranian and researchers from neighboring countries are highly encouraged to participate in this program.
Each requesting researcher will be given one test account. Please follow the guide below to obtain credentials.
Current Researchers can log in here: https://bugcrowd.com/user/sign_in.
New researchers can sign up here: https://bugcrowd.com/user/sign_up.
Once signed in, please email firstname.lastname@example.org to request credentials using the subject line
@@@@Kyivstar Credential Request@@@@
You will be provided a unique, working credential for My Kyivstar as soon as we're able to provision it. That said, please allow roughly 24 business hours for creds to be provided (and be aware that Bugcrowd operates out of the PST timezone).
Kyivstar Official Marketing Website
Apps of My Kyivstar:
We will investigate legitimate reports and make every effort to correct any valid vulnerabilities as quickly as possible. In the spirit of encouraging responsible disclosure and reporting we ask you to follow these Responsible Disclosure Guidelines:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.