Security Bounty Program

No technology is perfect. At Cryptohopper, we always want to ensure that traders can manage their portfolios without the need to worry about their data and trade execution. If you find something that potentially affects the security of our users, we appreciate your help and do reward actionable information

In Scope

You can submit any number of vulnerabilities in our systems. Not all vulnerabilities are equal though. If you find a vulnerability in the following categories, please contact us as soon as possible


The following domains and apps are eligible for rewards under this program

  • Cross-Site Scripting vulnerabilities (i.e. Stored, Reflected)
  • SQL Injection vulnerabilities
  • Encryption vulnerabilities
  • Remote Code Execution
  • Authentication Bypass, Unauthorized data access
  • XML External Entity
  • S3 Bucket Upload
  • Server-Side Request Forgery

The following domains and apps are eligible for rewards under this program:

  • cryptohopper.com
  • cryptotweeter.com
  • iOS application at Apple Store: cryptohopper-crypto-trading/id1463052050
  • Android application at Google Play Store: com.cryptohopper_mobile

Out of Scope

We do not accept submissions in the following categories:

  • Ability to create user accounts without any limits
  • Ability to perform an action unavailable via user interface without identified security risks
  • Ability to send emails with no control over content without any limits
  • Any activity that could lead to the disruption of our service (DoS)
  • Attacks that require MiTM or physical access to a users' device
  • Clickjacking
  • Content spoofing and text injection
  • CSV injection without demonstrating a vulnerability
  • Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc
  • Disclosure of private IP addresses or domains pointing to private IP addresses
  • Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
  • Missing best practices in HTTP headers without demonstrating a vulnerability
  • Missing notifications about important actions
  • Missing protection mechanism or best practices without demonstration of real security impact for user or system
  • Previously known vulnerable libraries without a working proof of concept
  • Reports that include only crash dumps or automated tool output without a working proof of concept
  • Unauthenticated/login/logout CSRF
  • User enumeration
  • Vectors that require unpatched environment (e.g. missing Windows updates)
  • Vectors that require browser versions released 6 or more months before report submission

How to submit a vulnerability

You can submit vulnerabilities to us by email to [email protected] using the following PGP public key to ensure safe communication

PGP Fingerprint

e824d4589f1897ede5543c4682000aa273a6b2cb

PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQMuBGLNc40RCAC+mriRX++hTDYVuFiDEMjcUF/houFuAa1s+l6dVwV+s8bM47ye
xyI8+iOk4VimfXw5SiLTGO/DkXEVT8Hlv83N47qS361Lju2uEM/MsbA+TBZdkUS/
yxIeeYnqCHFnlf4KJN2Rv0hscJIKBGVZR2luIDkQuhrOumGaLcFf+3qxI96DPxx8
cTyHVG7ay3KAMt5rS8kikjIU1rp5cJGZ/zOvFQ3eBvoLKbe0c1mh96UlikNkIqyA
DIEhAx2BAlVe+Z+jud+w26kCWK9MSF+W5UwPBCcIOIuNyoaQQZUoG65fQlYcLZvd
PsRBny5Y8ddGQadWcpp4UvIIpMu/9xDvRIXpAQDIkoaN5vw6k8qZ7eAmFOZmBFpA
MwNbT/69cGIB/meftQf+IYt5iLXwHn4AckaWfVN31LHM6ZqQjUfpvsfGwbg4J/rK
fgFxUxsC1X6RDGMSLUQrb+K+Fu7ARx8jm1O7CiAloRIrgcuWT2sQhA4Q1xvsnll0
wc6fe5WiWFaMT+bRMy11l7IiGJmO0uzqrG8JhirF/kH+2PyrIc7gTVUVgjiIgaac
GZMzXbbmsVYMF7zr9LlGtEF/w2W0teeQXIU25pL24dtV9DfHBWXRrx3WDtpms++b
vHc0Lu4ZYUO407Y6wCX9ZedQwHJTXDZYA/9ERVHXxVGo0pGAHBFgvO0FetT3QeYF
EFI2sSdW0dfvakjnLW0Vr7inOHvkRwp2M+i/sthBCAf+OOigDgQ0XNAfAl+cs3uR
RXn5W2jZmO5sPVagoiZVqr5t0Yg+O+l0G8jSh9xQiHs9XR1DV3VU88PISJoXM4y7
pAaxmBLhL4hodBBIlFr00y2wKdXEtAr+3N80yN30BdNIE3v7D0BCCQVsFlgH75wU
Di1B6rQWlha7kxwzHY4y/ApK2FINZxVQmNTRQ31wiCQJ+1VTP5IMx/xJ7H7zaRtu
YY7OvQ9SNP9nCTctJB+ycazmZ0hRMnYVIunItDgBsOm8C1x61WUdMWh0OAYRsK6g
e+R4WmEApwFGSSDg6TFxV3XK5MVGlnlBY8aYA6MEGTAgKKcoFxbthkC2tavDj1N+
IbQgc2VjdXJpdHktYm91bnR5QGNyeXB0b2hvcHBlci5jb22IZAQTEQoADAUCYs1z
jQKZAQIbAwAKCRCCAAqic6ayy6k4AP9uwvUgoLovqP1HJYWU0VFlIxWLt8p2jm62
Y5Ku7Q5AFwD/b+r/Z7uLtvAeSS0owp52DmoHgTcbDJz94e68rRUo8kO5AwwEYs1z
jRAIAP9PIRJEvKz+aztz9ZLq5AWOLqhUVMOOB60KYNZt2XhplGll74NlbpPeMwXH
yDLLaa5X0/I9y+LOuVlm0mW21Nu9tmA5vajnFhNebQkVE9p2f/K6ob/cY0TsYuHG
+G+ibXhyEFG8qdvXGO9jwM7ANEvLmrc+SD79O8wdFC11dnYbNzgxjMSQCLvUpuKR
kafHa3EYESJS4zGhIHl5+rVCp+5e06MY5IGkVSHTmsghaDn/+mtP1Abhy1TWKC/H
Anv1CYyduWrJblYgvHLCo8u0MwdyQGYZ2K9scq9/N6joOqRdQ4uH5PjWOowuZPo8
EU1cAqf+96FD2tGBTOtrY3vjj2UIAP9PIRJEvKz+aztz9ZLq5AWOLqhUVMOOB60K
YNZt2XhplGll74NlbpPeMwXHyDLLaa5X0/I9y+LOuVlm0mW21Nu9tmA5vajnFhNe
bQkVE9p2f/K6ob/cY0TsYuHG+G+ibXhyEFG8qdvXGO9jwM7ANEvLmrc+SD79O8wd
FC11dnYbNzgxjMSQCLvUpuKRkafHa3EYESJS4zGhIHl5+rVCp+5e06MY5IGkVSHT
N6joOqRdQ4uH5PjWOowuZPo8EU1cAqf+96FD2tGBTOtrY3vjiPMIAJdYsIqhIJmA
X4J2YenXD3dRTa2GNRzqq7NlPNAZ2YBWCsSbEeyqnu+E5ImXIe3E0sts8CFAeE89
HiHMAr6KlYAfRvvpyr/H9r3J7Md3PdRKXDgnxKOntb8TZUdnurbDbAn6kPqPJ5CP
ckiKHTub4BTDt7lnXVi/uzqNlMNcTTRbQz8L7nHKIMkWMaAIv75uNF+t3CKHlRq2
Z7hX/le7VXGd2UqFtW+r6xVDt51byAF7e/IbhZvuhAfCx24PWk9Uf6KQvwTCVHgW
d5soojIKYHOX4Sjax3YZhwkA10/CVNUr8GJYaTlZ/aoo1EV8ZkWu8u4B8R0ULg5J
li4X/JHkyPWIYQQYEQoACQUCYs1zjQIbDAAKCRCCAAqic6ayy1GuAP94Gka9UCpN
FK7VpULNBMiRGld6i/xvW4A1NiTQ+jymZgD/cGbbAAJu6Edy9ycqGK4jkp4FMBiO
ip4IhOk8P7GzVYg= =9hvR

-----END PGP PUBLIC KEY BLOCK-----


State concisely in your email what vulnerability you have found. Particularly include the following in your email:

  • Which vulnerability
  • The steps you undertook
  • The entire URL
  • Objects (as filters or entry fields) involved
  • Screenshots and screen videos are highly appreciated
  • Provide your IP address in the bug report, which will be kept private and used for tracking your testing activities and review the logs from our side
  • Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can assume that the notification will be received by specialists

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary to find or demonstrate the vulnerabilities

  • Be an ethical hacker and respect other users' privacy
  • Do not use vulnerabilities you discover for purposes other than your own investigation
  • Do not disclose vulnerabilities to other parties then Cryptohopper, provide us a reasonable amount of time to resolve the issue before disclosure to the public or a third party
  • Do not use social engineering to gain access to a system
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will compromise the systems' security
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further
  • Do not alter the system in any way
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems
  • Secure your own systems as tightly as possible

Rewards

We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Cryptohopper reserves the right to cancel the program; the decision whether to pay a reward is at our discretion

Additional considerations:

  • When duplicates occur, we only award the first report that we receive
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
  • Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards
FAQ
Frequently asked questions
Cryptohopper highly appreciates your effort in assisting us in securing our systems and processes. Depending on the impact, we will determine the reward. The reward is not always monetary but can also be in the form of Cryptohopper subscriptions
Never publicize vulnerabilities in our IT systems or your investigation without consulting us first. We can work together to prevent criminals from abusing your information. Please consult with our security experts and give us time to solve the problem
Yes, you can. You do not have to give us your name and contact details when you report a vulnerability. Please realize, however, that we will be unable to consult with you about follow-up measures, e.g. what we do about your report, further collaboration, or send a reward
Please send the security issues to [email protected] using the PGP key provided in the Security Bounty Program documentation
©2017 - 2022 Copyright by Cryptohopper™ - All rights reserved.