We welcome and appreciate the responsible disclosure of security vulnerabilities from the security research community. By collaborating with researchers, we continuously enhance the security of our products and services to protect our users and ecosystem partners.

Web applications: kiwibit.com

Mobile Applications: Kiwibit (iOS / Android)

Cloud Services and APIs: IoT platform (device management, account and authentication, data and log interfaces)

Devices and Firmware: Network cameras / Smart bird feeders (including network configuration, upgrades, logs, local/remote debugging)

Real-time Audio and Video: IoT-RTC / signaling, streaming/playback, P2P/relay, media storage

Authentication and Identity Mechanisms

If you discover a potential security issue, please send an email to support@kiwibit.com, and include as much information as possible:

Affected target (app, firmware version, etc.)

Vulnerability type, scope of impact, and brief description of business impact

Steps to Reproduce the Vulnerability (if available)

Expected and actual results

Relevant logs, screenshots, or network captures (if applicable, ensure sensitive data is masked)

Contact information and optional public key (for encrypted communication)

Response and Fix Timelines:

Critical issues: Initial response and classification within 48 hours

High-severity issues: Initial response and classification within 3 business days

Other issues: Response and action plan within 7 business days

We aim to complete fixes within 90 days, depending on the complexity and dependencies of the issue.

Collaboration Process:

Vulnerability submission → Vulnerability review → Classification and reproduction → Fix and mitigation → Summary release

Respect and protect user privacy and data.

Avoid causing service interruptions, degradations, or additional costs.

Unauthorized access, modification, or deletion of data is prohibited.

Test only within the scope defined in this document and comply with applicable laws and regulations.

Exploiting vulnerabilities for profit, harming users, or disrupting system availability.

Downloading or retaining Kiwibit’s source code, production data, or intellectual property content.

Performing tests that result in service disruptions, data loss, or device damage

Intimidating, extorting, or exaggerating impacts to create panic.

Publicly disclosing, spreading, or trading vulnerability details before a fix is implemented.

Performing tests that violate international laws or local regulations.

Failing to properly protect data and credentials during testing

We support responsible disclosure. Please do not publicly disclose technical details or exploit code before vulnerabilities are fixed or mitigated. If coordination of the disclosure time is needed, please contact us via email to agree on the timeline and scope.

Kiwibit may update this page without notice. By participating in vulnerability disclosure, you agree to the above rules and guidelines. This document does not constitute a commitment to any rewards or compensation.