Kraken logo

Distribution utilities

Retail utilities

Water utilities

Customer Management for residential

Customer Management for C&I

Residential flexibility for distribution utilities

Residential flexibility for retail utilities

Field operations

Generation flexibility

Distribution Utilities

Product updates

Blog
Case studies
Careers
About

Distribution utilities

Retail utilities

Water utilities

Customer Management for residential

Customer Management for C&I

Residential flexibility for distribution utilities

Residential flexibility for retail utilities

Field operations

Generation flexibility

Distribution Utilities

Product updates

Blog
Case studies
Careers
About
Book a demo

Distribution utilities

Retail utilities

Water utilities

Customer Management for residential

Customer Management for C&I

Residential flexibility for distribution utilities

Residential flexibility for retail utilities

Field operations

Generation flexibility

Distribution Utilities

Product updates

Blog
Case studies
Careers
About

Distribution utilities

Retail utilities

Water utilities

Customer Management for residential

Customer Management for C&I

Residential flexibility for distribution utilities

Residential flexibility for retail utilities

Field operations

Generation flexibility

Distribution Utilities

Product updates

Blog
Case studies
Careers
About
Book a demo

Vulnerability Disclosure Process

Kraken is an end-to-end platform for utilities. Our platform manages millions of customer accounts on behalf of our clients, and our product aims to increase innovation in the utilities space.

We're committed to the security of our business and customers. We value close collaboration with the security community, suppliers, and partners to flag potential security vulnerabilities in the Kraken ecosystem.

Our Vulnerability Disclosure process is separate to our Private HackerOne program.

Report a vulnerability

Vulnerability disclosures must be submitted using the Submission Form or by emailing security.disclosure@kraken.tech.

Please note we do not offer monetary rewards for vulnerability disclosures.

Vulnerability Disclosure Rules

  • Please provide detailed reports with reproducible steps.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

What’s in scope

Security vulnerabilities that are identified in any internet-facing service owned, operated, or controlled by Kraken.

What’s out of scope

When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • Rate limiting issues on Kraken’s demo form.

  • Clickjacking on pages with no sensitive actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing best practices in SSL/TLS configuration.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.

We’ll aim to respond within 2 business days

Kraken will make a best effort to meet the following response time targets for vulnerability report submissions:

  • Time to first response (from reporting) = 2 business days

  • Time to triage (from reporting) = 2 business days

If you leave us your email when you submit the form then we’ll contact you with a response to your report.

Thank you for helping to keep Kraken and our clients safe!