Bug reporting program
Kiwisocial is a social network built around the feed, threads, direct messages, communities, and the tools people use every day to stay connected. This is a volunteer programme: there are no paid bounties, but we triage serious reports, fix what we can, and recognise contributors on the leaderboard when a report reaches Resolved.
About the program
We use your submissions to reproduce issues, understand impact, and prioritise fixes. The more precise you are, the faster we can move from triage to a real outcome.
Severity and triage
Reports use a simple scale: N/A (not applicable or no security angle), Low, Medium, High, and Critical. Triage may adjust the level based on technical risk and where the bug shows up (for example, authentication versus a cosmetic settings glitch).
Leaderboard & points
When a report is Resolved, points depend on the final severity (and triage is counted once). See the Leaderboard tab for the current formula.
Priority product areas
We care most about issues that affect trust, data, or day‑to‑day use of the product. When you file, pick the closest Area in the form—this helps us route the report. Today’s categories include:
- Feed / home
- Threads & comments
- Profile & connections
- Direct messages (DMs)
- Communities
- Search & explore
- Notifications
- Account settings
- Login & signup (OAuth, etc.)
- Bookmarks
- Subscriptions
- Achievements & personal stats
- Post composer / publishing
- Ads (feed)
- Layout / mobile web
- Other / uncategorised
Guidelines
We welcome functional bugs, regressions, and security issues on the in‑scope service. Please:
- Use an active Kiwisocial account to submit (so we can follow up and attribute recognition fairly).
- Provide reproduction steps, what you expected, and what you observed.
- Note the browser, OS, and URL when relevant; screenshots or short screen recordings help.
- Keep communication factual and respectful—no harassment or spam.
- Feature requests or pure UX opinions aren’t what this form is for—use support for product ideas when appropriate.
What we need in each report
- One main issue per report. If you must show a chain of problems to prove impact, describe the links clearly in a single report.
- A short title and a description that let us reproduce without guessing—include test data you created on your own account when useful.
- For security findings, state the impact in plain language (who is affected, what could leak or break).
- Do not publicly disclose details of an unfixed issue; wait until the team has completed handling it.
Responsible testing
Only test with accounts, communities, and content you control. Do not take actions that could harm the reliability of the service, other users, or our infrastructure. In particular:
- No denial‑of‑service, credential stuffing, large‑scale scraping, or brute‑force attacks.
- No testing against other people’s accounts or messages without their explicit permission.
- Avoid noisy automated scanning against production; if you are unsure whether a test is safe, ask before you run it.
Scope
In scope
The Kiwisocial web application at kiwisocial.eu and the features we host—including account lifecycle, the home feed, threads and replies, profiles, direct messages, communities, search and discovery, notifications, bookmarks, the post composer, optional subscriptions or in‑app monetisation where we own the stack, and account settings—are in scope when the team can act on the finding.
Out of scope
Examples we usually close as out of scope or informational (not an exhaustive list):
- Availability or performance issues caused by hosting, DNS, or providers we do not run.
- Bugs in third‑party login, payment, or analytics products are primarily for those vendors. If the issue is in how we integrate (wrong redirect, bad token handling on our site), that part is in scope; a defect only inside the third‑party service usually is not.
- User‑generated content or harassment as such—unless the product mishandles that content (e.g. unsafe rendering, broken privacy boundary) in a way we can fix in code.
- Social engineering of users or staff, or issues that need physical access to a device you do not own.
- Generic rate‑limit tuning, missing security headers, or clickjacking on non‑sensitive actions, when impact is low and theoretical.
- Self‑XSS or issues that only affect the person running the attack in their own session, with no broader impact.
- Reports that require denial of service, spam, or testing on accounts you do not control.
If you are unsure, file anyway and we will triage; low‑signal reports may be marked informative without points.
Updates
No program updates yet. When the team posts news about triage, scope, or recognition, it will show up here.
Activity
-
Kiwisocial
Bug reported by @Ikariu was resolved 1 week ago
N/A
Leaderboard
Top researchers by reporter score. Triage (once per report) and severity count only for reports in Resolved state: triage +5, N/A 0, Low 10, Med 20, High 35, Critical 50. Duplicates void triage. Changing status or severity updates points for that report.
-
Ikariu
@Ikariu
5 pts
Metrics
A simple view of volume below. Response‑time targets (first reply, triage, resolution) will be published when we are ready to commit to them publicly.