kolm / security / bug bounty

Find a verifier bypass. Earn $10,000.

We sell signed artifacts to hospitals and banks. The cryptographic chain is load-bearing. If you can forge a receipt that our verifier accepts, or get a tampered manifest past the CID check, we owe you money. Submit, get acknowledged within 24 hours, paid within 14 days of confirmed reproduction.

Max payout $10,000Acknowledged 24 hoursPaid 14 daysWindow 30 days

Payout table

Severity is scoped to what the bug breaks in a real customer deployment. We pay more for things that compromise the trust model than for things that crash a server.

Class	What	Payout
Verifier bypass	Forge a .kolm + receipt that `kolm verify` accepts despite the manifest not matching the artifact bytes. Highest severity; the receipt chain is our most load-bearing claim.	$10,000
Receipt forgery	Produce a receipt that HMAC-verifies without access to the signing key.	$5,000
CID collision	Two distinct canonical manifests with the same CID under our hash construction (not a generic SHA-256 attack).	$5,000
RCE on api.kolm.ai	Remote code execution on the production API server. Critical / High / Medium / Low maps to a band.	$2,000 - $10,000
Auth bypass	Access another tenant's data, artifacts, receipts, or audit log.	$3,000 - $8,000
Stripe/billing logic	Compile or run without paying. Reach a billing surface that should not be reachable.	$2,000 - $5,000
K-score gate bypass	Get an artifact past the gate at a lower K than the receipt declares.	$3,000
SSRF / SQLi / XSS	Standard web vulns on customer-reachable surfaces.	$500 - $3,000

In scope

kolm.ai and all subdomains (api, app, dashboard, *.kolm.ai)
The npm CLI at npmjs.com/package/kolm
The Python SDK at pypi.org/project/kolm
The TS SDK at npmjs.com (verifier package)
The .kolm format and receipt chain as specified at /spec/rs-1

Out of scope

DoS / volumetric attacks (we'll pay for design flaws, not load tests)
Social engineering of our staff or customers
Physical attacks on offices or hardware
Findings on third-party services we use (report to them, then to us)
Self-XSS, missing security headers without an exploitable consequence, missing CAPTCHA
Outdated dependency reports without a working exploit (we run pip-audit + npm audit weekly)

How to submit

To:   security@kolm.ai
PGP:  https://kolm.ai/pgp.asc  (key id 0xA1B2C3D4...)

Subject: [bounty] one-line summary

Body:
  1. impact (what breaks)
  2. steps to reproduce (exact)
  3. minimal PoC (artifact, request, command)
  4. your handle for the hall of fame (optional)
  5. payout preference (bank, PayPal, BTC)

Do not file a public GitHub issue, do not tweet about it, do not test against tenants you do not own. We follow a 30-day coordinated disclosure: you tell us, we fix it, then you can talk about it.

Hall of fame

Researchers who reported confirmed issues. Listed in order of payout, anonymized on request.

r0t3n$3,000 . auth bypass on /v1/account

nullbyte_$1,500 . CID parsing in verifier

aleph$500 . SSRF on /v1/captures import

All three reports were paid within 9 days of confirmed reproduction. Public disclosure happened on day 31, 33, and 28 respectively (each researcher's request).