Security Bounty Program
No technology is perfect. At Cryptohopper, we always want to ensure that traders can manage their portfolios without the need to worry about their data and trade execution. If you find something that potentially affects the security of our users, we appreciate your help and do reward actionable information
In Scope
You can submit any number of vulnerabilities in our systems. Not all vulnerabilities are equal though. If you find a vulnerability in the following categories, please contact us as soon as possible
The following domains and apps are eligible for rewards under this program
- SQL Injection vulnerabilities
- Encryption vulnerabilities
- Remote Code Execution
- Authentication Bypass, Unauthorized data access
- XML External Entity
- S3 Bucket Upload
- Server-Side Request Forgery
The following domains and apps are eligible for rewards under this program:
- www.cryptohopper.com
- api.cryptohopper.com
- iOS application at Apple Store: cryptohopper-crypto-trading/id1463052050
- Android application at Google Play Store: com.cryptohopper_mobile
Out of Scope
We do not accept submissions in the following categories:
- Ability to create user accounts without any limits
- Ability to perform an action unavailable via user interface without identified security risks
- Ability to send emails with no control over content without any limits
- Any activity that could lead to the disruption of our service (DoS)
- Attacks that require MiTM or physical access to a users' device
- Clickjacking
- Content spoofing and text injection
- CSV injection without demonstrating a vulnerability
- Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc
- Disclosure of origin and private IP addresses or domains pointing to private IP addresses
- Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
- Missing best practices in SSL/TLS configuration
- Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
- Missing best practices in HTTP headers without demonstrating a vulnerability
- Missing notifications about important actions
- Missing protection mechanism or best practices without demonstration of real security impact for user or system
- Previously known vulnerable libraries without a working proof of concept
- Reports that include only crash dumps or automated tool output without a working proof of concept
- Unauthenticated/login/logout CSRF
- User enumeration
- Vectors that require unpatched environment (e.g. missing Windows updates)
- Vectors that require browser versions released 6 or more months before report submission
- Missing rate limiting on endpoints
- Cross-Site Request Forgery (CSRF)
How to submit a vulnerability
You can submit vulnerabilities to us by email to [email protected].
State concisely in your email what vulnerability you have found. Particularly include the following in your email:
- Which vulnerability
- The steps you undertook
- The entire URL
- Objects (as filters or entry fields) involved
- Screenshots and screen videos are highly appreciated
- Provide your IP address in the bug report, which will be kept private and used for tracking your testing activities and review the logs from our side
- Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can assume that the notification will be received by specialists
Rules
Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary to find or demonstrate the vulnerabilities
- Be an ethical hacker and respect other users' privacy
- Do not use vulnerabilities you discover for purposes other than your own investigation
- Do not disclose vulnerabilities to other parties then Cryptohopper, provide us a reasonable amount of time to resolve the issue before disclosure to the public or a third party
- Do not use social engineering to gain access to a system
- Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will compromise the systems' security
- Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further
- Do not alter the system in any way
- Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others
- Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems
- Secure your own systems as tightly as possible
Rewards
We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Cryptohopper reserves the right to cancel the program; the decision whether to pay a reward is at our discretion
Additional considerations:
- When duplicates occur, we only award the first report that we receive
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
- Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards