Introducing Koala Prospector! Bringing Waterfall Enrichment to Reps

Learn More!

Security at Koala

At Koala, we take the security and privacy of our customers' data extremely seriously. We are committed to maintaining the highest standards of security and constantly work to protect our systems and your information.

We appreciate the efforts of security researchers and the broader community in helping us maintain a secure platform. If you discover a potential security vulnerability, we encourage you to report it to us immediately.

How to report an issue

If you have discovered an issue that is not part of our out-of-scope vulnerabilities, please send an email to [email protected] with the following details:

  • A summary of the issue and its potential impact
  • A detailed breakdown of the steps to replicate the issue
  • Details of the environment you are using (e.g., operating system, browser version)
  • If available, any proof-of-concept code to demonstrate exploiting the vulnerability

What happens next

Upon receiving your report our security team will investigate the issue. We'll keep you updated on the progress and reach back out to you if we need additional information.

We value the time and effort put into responsible disclosure. For valid vulnerabilities considered in-scope with a CVSS score of 4 or higher, may be eligible for a financial reward. The specific amount will be determined based on the severity and impact of the issue.

In scope

  • https://getkoala.com
  • https://app.getkoala.com
  • https://api.getkoala.com

Out-of-scope

  • Automated vulnerability scanning
  • Social engineering attempts, especially targeting Koala employees
  • Denial of Service (DoS) attacks
  • Attacks requiring physical access to a user's device
  • Theoretical vulnerabilities without proof of exploitability
  • Man-in-the-middle attacks
  • Clickjacking on pages with no sensitive actions
  • High-privilege users (admins, owners) using a bug to sabotage/deface their own workspace
  • Logic bugs allowing bypassing of free account limits to access paid features
  • Missing best practices in Content Security Policy (CSP), email DNS records, or cookies (these may be considered informative but are unlikely to qualify for rewards)

Additional requests

To ensure a safe and responsible vulnerability research process, we kindly ask that you adhere to the following guidelines:

  • Test on your own account: Please only test vulnerabilities using your own account or with explicit permission from the account holder. This helps protect our users' privacy and data integrity.
  • Respect privacy and data: We ask that you make every privacy violations, unauthorized access to data, and any actions that could potentially damage or destroy data.
  • Maintain service integrity: Please make a good faith effort to avoid interruption or degradation of our services. interruption or degradation of our services.
  • Limited scope: If you manage to gain remote access to our systems, please do not attempt to expand or elevate your access to other servers.
  • Responsible disclosure: To prevent potential exploitation, we kindly request that you do not make the vulnerability public before reporting it to us, and give us adequate time to address the issue.