Bitso Bug Bounty Program Rules

===========================

Bitso recognizes the importance of security researchers in helping keep our community and products safe. To recognize their efforts and the important role they play in keeping Bitso safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities.

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Response Targets

Bitso will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Reporting Possible Vulnerabilities

You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.

If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.

Please familiarize yourself with the non-qualifying vulnerabilities below.

Reporting guidelines

Please be aware that the quality of your report is critical to your submission. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. You might want to consider using this as a template or checklist when writing up your report.

• What type of issue are you reporting? Does it align to a CWE or OWASP issue?

• How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).

• What is the impact of your issue?

• What are some scenarios where an attacker would be able to leverage this vulnerability?

• What would be your suggested fix?

Please submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Bitso!

However, Bitso will not be publicly disclosing reports at this time. If and when Bitso does disclose a report, it will be mutually agreed upon with the hacker. Bitso reserves the right to deny any request for public disclosure.

Qualifying Vulnerabilities

Only those that meet the following eligibility requirements may receive a monetary reward.

• You must be the first reporter of a vulnerability.

• The vulnerability must not be previously known to Bitso.

• The vulnerability must be a qualifying vulnerability. (see below)

• You may not publicly disclose the vulnerability prior to our resolution.

• Making a good faith effort to not leak or destroy any Bitso user data.

• Not defrauding Bitso users or Bitso itself in the process of discovery.

Bitso reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

Any design or implementation issue that is reproducible and substantially affects the security of Bitso users is likely to be in scope for the program. This includes anything which has the potential for financial loss or data breach of sufficient severity. Common examples include but are not limited to:

• XSS

• CSRF

• Authentication bypass or privilege escalation

• Click jacking

• Remote code execution

• Obtaining user information

>The domains nvio.ar and nvio.mx are considered as one asset, hence the first valid finding will be awarded a bounty and any additional submissions of the same or similar impact will be closed as a duplicate.

Non-Qualifying Vulnerabilities

Out-of-scope submissions are accepted and considered on a case by case basis and may be subject to a reward pending the review of the Bitso team. Any report that results in a change being made will at a minimum receive Hall of Fame recognition.

>Any other domain not specified in the In Scope section will be automatically considered into the Out-of-scope list.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Bitso users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

• Denial of service

• Spamming

• Vulnerabilities in third party applications which make use of the Bitso API

• Attacks requiring physical access to a user's device

• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)

• Login/logout CSRF

• Password and account recovery policies, such as reset link expiration or password complexity

• Reports of spam

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Social engineering (e.g. phishing, vishing, smishing) of Bitso staff or contractors

• Any physical attempts against Bitso property or data centers

• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

The Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Thank you for helping keep the crypto community safe!