Security

As contributors to open source and to the IT community in general, we value the work of independent security researchers.

If you’re good enough to spot a vulnerability in our site, we’d love to know about it. We’ll reward anyone who reports a critical vulnerability for the first time.

Just follow the guideline below to ensure that you qualify for a reward and that you don’t violate our Terms and Conditions.

Banking institutions with issues related to fraud/chargeback should contact chargebacks@kiwi.com.

Send an email to fraud@kiwi.com if you have a fraud-related issue.

Reporting vulnerabilities

Send an email to security@kiwi.com and include your name and contact details.

Encrypt all sensitive information using our
PGP Key
.

Provide full details of the vulnerability so that we can easily reproduce it.

Avoid disrupting or degrading our services in any way. Given the nature of our business, denial-of-service attacks are not welcome at all.

Don’t copy, delete, access, or change any data that doesn’t belong to you.

Don’t publicise any details of the vulnerability until we’ve had a chance to fix it.

We’ll try to get back to you within 2 working days.