Security Bounty Program

No technology is perfect. At Cryptohopper, we always want to ensure that traders can manage their portfolios without the need to worry about their data and trade execution. If you find something that potentially affects the security of our users, we appreciate your help and do reward actionable information

In Scope

You can submit any number of vulnerabilities in our systems. Not all vulnerabilities are equal though. If you find a vulnerability in the following categories, please contact us as soon as possible


The following domains and apps are eligible for rewards under this program

  • SQL Injection vulnerabilities
  • Encryption vulnerabilities
  • Remote Code Execution
  • Authentication Bypass, Unauthorized data access
  • XML External Entity
  • S3 Bucket Upload
  • Server-Side Request Forgery

The following domains and apps are eligible for rewards under this program:

  • www.cryptohopper.com
  • api.cryptohopper.com
  • iOS application at Apple Store: cryptohopper-crypto-trading/id1463052050
  • Android application at Google Play Store: com.cryptohopper_mobile

Out of Scope

We do not accept submissions in the following categories:

  • Ability to create user accounts without any limits
  • Ability to perform an action unavailable via user interface without identified security risks
  • Ability to send emails with no control over content without any limits
  • Any activity that could lead to the disruption of our service (DoS)
  • Attacks that require MiTM or physical access to a users' device
  • Clickjacking
  • Content spoofing and text injection
  • CSV injection without demonstrating a vulnerability
  • Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc
  • Disclosure of origin and private IP addresses or domains pointing to private IP addresses
  • Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
  • Missing best practices in HTTP headers without demonstrating a vulnerability
  • Missing notifications about important actions
  • Missing protection mechanism or best practices without demonstration of real security impact for user or system
  • Previously known vulnerable libraries without a working proof of concept
  • Reports that include only crash dumps or automated tool output without a working proof of concept
  • Unauthenticated/login/logout CSRF
  • User enumeration
  • Vectors that require unpatched environment (e.g. missing Windows updates)
  • Vectors that require browser versions released 6 or more months before report submission
  • Missing rate limiting on endpoints
  • Cross-Site Request Forgery (CSRF)

How to submit a vulnerability

You can submit vulnerabilities to us by email to [email protected].

State concisely in your email what vulnerability you have found. Particularly include the following in your email:

  • Which vulnerability
  • The steps you undertook
  • The entire URL
  • Objects (as filters or entry fields) involved
  • Screenshots and screen videos are highly appreciated
  • Provide your IP address in the bug report, which will be kept private and used for tracking your testing activities and review the logs from our side
  • Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can assume that the notification will be received by specialists

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary to find or demonstrate the vulnerabilities

  • Be an ethical hacker and respect other users' privacy
  • Do not use vulnerabilities you discover for purposes other than your own investigation
  • Do not disclose vulnerabilities to other parties then Cryptohopper, provide us a reasonable amount of time to resolve the issue before disclosure to the public or a third party
  • Do not use social engineering to gain access to a system
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will compromise the systems' security
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further
  • Do not alter the system in any way
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems
  • Secure your own systems as tightly as possible

Rewards

We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Cryptohopper reserves the right to cancel the program; the decision whether to pay a reward is at our discretion

Additional considerations:

  • When duplicates occur, we only award the first report that we receive
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
  • Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards
FAQ
Frequently asked questions
Cryptohopper highly appreciates your effort in assisting us in securing our systems and processes. Depending on the impact, we will determine the reward. The reward is not always monetary but can also be in the form of Cryptohopper subscriptions
Never publicize vulnerabilities in our IT systems or your investigation without consulting us first. We can work together to prevent criminals from abusing your information. Please consult with our security experts and give us time to solve the problem
Yes, you can. You do not have to give us your name and contact details when you report a vulnerability. Please realize, however, that we will be unable to consult with you about follow-up measures, e.g. what we do about your report, further collaboration, or send a reward
Please send the security issues to [email protected] using the PGP key provided in the Security Bounty Program documentation

Disclaimer: Cryptohopper is not a regulated entity. Cryptocurrency bot trading involves substantial risks, and past performance is not indicative of future results. The profits shown in product screenshots are for illustrative purposes and may be exaggerated. Only engage in bot trading if you possess sufficient knowledge or seek guidance from a qualified financial advisor. Under no circumstances shall Cryptohopper accept any liability to any person or entity for (a) any loss or damage, in whole or in part, caused by, arising out of, or in connection with transactions involving our software or (b) any direct, indirect, special, consequential, or incidental damages. Please note that the content available on the Cryptohopper social trading platform is generated by members of the Cryptohopper community and does not constitute advice or recommendations from Cryptohopper or on its behalf. Profits shown on the Markteplace are not indicative of future results. By using Cryptohopper's services, you acknowledge and accept the inherent risks involved in cryptocurrency trading and agree to hold Cryptohopper harmless from any liabilities or losses incurred. It is essential to review and understand our Terms of Service and Risk Disclosure Policy before using our software or engaging in any trading activities. Please consult legal and financial professionals for personalized advice based on your specific circumstances.

©2017 - 2024 Copyright by Cryptohopper™ - All rights reserved.