SECURITY PROGRAMME
Responsible Vulnerability Disclosure
Kiwi Insurance
Kiwi Insurance is committed to keeping our customers' data safe and our systems secure. We welcome security researchers who help us identify and fix vulnerabilities through responsible, coordinated disclosure.
REPORT A VULNERABILITY - security@kiwiinsurance.com
01 Our Commitment
We believe that collaborative relationships with the security community make everyone safer. If you discover a vulnerability in our systems, we encourage you to tell us about it so we can address it promptly — before it can be exploited by malicious actors.
When you report in good faith and follow this policy, Kiwi Insurance will work with you in a transparent and timely manner, and will not pursue legal action against researchers acting within these guidelines.
02 Scope
In Scope
✓ kiwiinsurance.com and all subdomains
✓ Kiwi Insurance mobile applications (iOS & Android)
✓ Customer portal and online quote engine
✓ Policy management and claims systems
✓ API endpoints used by our services
✓ Authentication and session management
Out of Scope
✗ Third-party services and integrations we don't control
✗ Denial of service (DoS/DDoS) attacks
✗ Physical security or social engineering attacks
✗ Spam, phishing, or email security issues
✗ Automated scanning without prior written approval
✗ Systems belonging to Kiwi Insurance partners or vendors
03 What We Ask of You
To qualify for safe harbour protections and recognition, researchers must adhere to the following guidelines:
✓ Report vulnerabilities promptly to Security@kiwiinsurance.com — do not disclose publicly until we have had a reasonable opportunity to remediate.
✓ Only access data that is your own, or test accounts specifically created for research by you. Never access, modify, or exfiltrate real customer data.
✓ Provide enough detail for us to reproduce and understand the issue — a clear description, steps to reproduce, proof-of-concept, and potential impact.
✓ Act in good faith. Avoid actions that could disrupt services, degrade performance, or compromise the privacy and safety of our customers.
✓ Keep your findings confidential until we have resolved the issue and agreed on a disclosure timeline with you.
04 What to Expect From Us
We are committed to timely, transparent communication throughout the disclosure process.
▸ Acknowledgement — within 2 business days
We will acknowledge receipt of your report and assign it a unique reference number.
▸ Initial assessment — within 10 business days
A member of our security team will contact you with a severity classification and initial triage outcome.
▸ Remediation target — within 60 days
We aim to remediate all confirmed vulnerabilities within 90 days. Complex or systemic issues may require additional time — we will keep you informed throughout.
▸ Post-remediation
We will notify you once the fix is live.
05 Recognition
We deeply value the efforts of security researchers who help us protect our customers. Researchers who submit valid, in-scope vulnerabilities will be:
✓ Publicly credited to the Kiwi Insurance Security Hall of Fame (with your consent).
✓ Kept informed throughout the remediation process with transparent, timely updates.
✓ Notified when their finding has been patched and deployed to production.
While we do not currently operate a paid bug bounty programme, we are committed to acknowledging your contribution fairly and working collaboratively with researchers who act within this policy.
06 Safe Harbour
Kiwi Insurance will not pursue civil or criminal action against security researchers who make a good-faith effort to comply with this policy. We consider responsible vulnerability research and testing to be authorised conduct under applicable law.
Important Notice
Safe harbour applies only to activities that are strictly limited to what is necessary for identifying and reporting a vulnerability. It does not apply to actions that cause damage, access real customer data, disrupt services, or violate any laws beyond what is strictly required to identify a security issue. Researchers must not conduct automated scanning or attempt to access accounts other than their own without prior written approval from Kiwi Insurance.
06 CERT-In
As a Regulated Entity, Kiwi Insurance encourages security researchers to familiarize themselves with and adhere to the guidelines set forth by the Indian Computer Emergency Response Team (CERT-In). This includes understanding CERT-In's role as a CVE Numbering Authority (CNA), the principles of the Responsible Disclosure Framework, and the acknowledgement process administered by CERT-In for coordinated vulnerability disclosure.
Last updated April 2026 · Questions? Contact us at security@kiwiinsurance.com