Security

As contributors to open source and to the IT community in general, we value the work of independent security researchers.

If you’re good enough to spot a vulnerability in our site, we’d love to know about it. We’ll reward anyone who reports a critical vulnerability for the first time.

Just follow the guideline below to ensure that you qualify for a reward and that you don’t violate our Terms and Conditions.

Reporting vulnerabilities

  • Send an email to security@kiwi.com and include your name and contact details.
  • Encrypt all sensitive information using our
    PGP Key
    .
  • Provide full details of the vulnerability so that we can easily reproduce it.
  • Avoid disrupting or degrading our services in any way. Given the nature of our business, denial-of-service attacks are not welcome at all.
  • Don’t copy, delete, access, or change any data that doesn’t belong to you.
  • Don’t publicise any details of the vulnerability until we’ve had a chance to fix it.
We’ll try to get back to you within 2 working days.
Banking institutions with issues related to fraud/chargeback should contact chargebacks@kiwi.com.