Bug Bounty Program

Rules of Engagement and Security Testing Guidelines

At Kingzprime, maintaining state-of-the-art security is a core priority. We are committed to keeping our systems and our customers’ assets safe and secure. Every valid security report helps us improve, and we take each one seriously as we assess potential risks to our platform and users.
This document outlines:
• The guidelines security testers and researchers must follow
• The scope of the program
• The types of vulnerabilities we are interested in
• Our reward structure
• The Code of Conduct for all participants
By participating in the Kingzprime Bug Bounty Program, you agree to follow these guidelines and our Code of Conduct.

1. Guidelines

We expect all program participants to adhere to the following:
• Only submissions containing a working Proof of Concept (PoC) will be eligible for rewards.
o Your PoC must clearly describe the step-by-step process used to exploit the vulnerability or chain of vulnerabilities.
• While we welcome participation from the global security research community, Kingzprime reserves the right to determine whether a submission:
o Sufficiently demonstrates impact o Meets our internal risk threshold o Qualifies for a monetary reward
• All submissions should be sent to our dedicated bug bounty email address – “gabriel@kingzprime.com”
o We aim to acknowledge and respond to each submission within 7 calendar days. o Submissions that lack evidence or detailed PoCs may experience delays during triage.
Please ensure your testing does not disrupt our services or negatively impact Kingzprime users.

2. Scope

The following assets are in scope:
• Kingzprime web application (production environment)
• Kingzprime Android application
• Kingzprime iOS application
• Kingzprime-owned domains and subdomains
Any Kingzprime asset or domain not explicitly listed as in scope is considered out of scope, including:
• Staging, development, or test environments, unless explicitly authorized
• Third-party services not operated or controlled by Kingzprime
If you are uncertain whether a target is in scope, please reach out for clarification before testing.

3. Types of Vulnerabilities

We are especially interested in vulnerabilities that demonstrate clear security impact, including but not • • • • • • limited to:
Arbitrary remote code execution (RCE)
Unrestricted filesystem access
Unrestricted database access
Unauthorised transfer of customer crypto assets
Authentication bypass (e.g., login without valid credentials)
Customer account takeover (e.g., session hijacking, credential theft, or privilege escalation that results in full account control)
We do not encourage and will not reward testing that involves:
• Social engineering of Kingzprime staff or customers
• Deletion or modification of customer data, except test data you created yourself
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks against
Kingzprime applications or infrastructure
• Physical attacks on data centers or offices
• Spam or phishing campaigns targeting Kingzprime users
When demonstrating impact, use minimal, controlled test data and avoid actions that could cause real harm to users or operations.

4. Rewards

Rewards are based on the severity and business impact of the validated vulnerability. Severity is determined using Kingzprime’s internal risk assessment, which may differ from standard CVSS scoring. Up to 1,000 USD
For vulnerabilities that could lead to severe impact, such as:
• Significant financial or crypto asset loss
• Full system compromise
• Major data loss or leakage
Typically includes:
• Remote arbitrary code execution
• Unrestricted filesystem access
• Unrestricted database access
Up to 300 USDT
For vulnerabilities that could lead to unauthorized access or asset movement, such as:
• Unauthorized access to customer account information
• Unauthorized transfer of customer crypto assets
• Authentication bypass
• Privilege escalation within customer accounts or admin tools
Up to 100 USDT
For vulnerabilities that:
• Affect a single non-critical component or security control
• Pose a plausible but limited security risk
• Do not directly result in significant financial loss or business disruption
Examples include minor access control issues, limited information disclosure, or security misconfigurations with constrained impact.
Note: • Duplicate reports of the same issue will generally reward only the first valid submission.
• Low-quality reports without clear impact or PoC may be closed as informational without reward.

5. Code of Conduct

Our Code of Conduct ensures that security researchers and Kingzprime team members can collaborate in a professional, ethical, and respectful manner.
We expect all participants to:
• Act professionally and respectfully in all communications with Kingzprime.
• Behave ethically and report all findings to us in a timely manner.
• Make submissions without conditions, demands, or threats.
• Be responsive and cooperative if we ask for additional information during triage or remediation.
• Not disclose any vulnerability details or sensitive customer information to third parties or the public without explicit written permission from Kingzprime.
• If a vulnerability grants broad access to data, limit the amount of data accessed to the minimum required to demonstrate impact.
• Follow applicable data protection and privacy regulations when handling any discovered sensitive data.
• Securely delete or destroy any sensitive customer data or Kingzprime-related data
obtained during testing after the issue has been resolved and the submission is closed.
Any breach of this Code of Conduct may result in removal from the program and potential legal action where necessary.

6. Rights

By participating in the Kingzprime Bug Bounty Program and submitting a report, you agree that:
• Kingzprime has the right to use, modify, and distribute your findings (including PoCs and technical details), solely for the purpose of improving security and operations.
• No additional rewards or compensation will be owed beyond what is described in the Rewards section and any bounty already paid.
• Participation in this program does not create an employment or contractor relationship between you and Kingzprime.