52212 policies in database
Link to program      
2021-03-29
Bitso logo
Thank
Gift
HOF
Reward

Reward

Bitso

Bitso Bug Bounty Program Rules

===========================

Bitso recognizes the importance of security researchers in helping keep our community and products safe. To recognize their efforts and the important role they play in keeping Bitso safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities.

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Response Targets


Bitso will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 2 business days

  • Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Reporting Possible Vulnerabilities


You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.

If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy.

Please familiarize yourself with the non-qualifying vulnerabilities below.

Reporting guidelines


Please be aware that the quality of your report is critical to your submission. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. You might want to consider using this as a template or checklist when writing up your report.

  • What type of issue are you reporting? Does it align to a CWE or OWASP issue?

  • How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).

  • What is the impact of your issue?

  • What are some scenarios where an attacker would be able to leverage this vulnerability?

  • What would be your suggested fix?

Please submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

Responsible Disclosure


We are happy to thank everyone who submits valid reports which help us improve the security of Bitso!

However, Bitso will not be publicly disclosing reports at this time. If and when Bitso does disclose a report, it will be mutually agreed upon with the hacker. Bitso reserves the right to deny any request for public disclosure.

Qualifying Vulnerabilities


Only those that meet the following eligibility requirements may receive a monetary reward.

  • You must be the first reporter of a vulnerability.

  • The vulnerability must not be previously known to Bitso.

  • The vulnerability must be a qualifying vulnerability. (see below)

  • You may not publicly disclose the vulnerability prior to our resolution.

  • Making a good faith effort to not leak or destroy any Bitso user data.

  • Not defrauding Bitso users or Bitso itself in the process of discovery.

Bitso reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

Any design or implementation issue that is reproducible and substantially affects the security of Bitso users is likely to be in scope for the program. This includes anything which has the potential for financial loss or data breach of sufficient severity. Common examples include but are not limited to:

  • XSS

  • CSRF

  • Authentication bypass or privilege escalation

  • Click jacking

  • Remote code execution

  • Obtaining user information

>The domains nvio.ar and nvio.mx are considered as one asset, hence the first valid finding will be awarded a bounty and any additional submissions of the same or similar impact will be closed as a duplicate.

Non-Qualifying Vulnerabilities


Out-of-scope submissions are accepted and considered on a case by case basis and may be subject to a reward pending the review of the Bitso team. Any report that results in a change being made will at a minimum receive Hall of Fame recognition.

>Any other domain not specified in the In Scope section will be automatically considered into the Out-of-scope list.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Bitso users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Denial of service

  • Spamming

  • Vulnerabilities in third party applications which make use of the Bitso API

  • Attacks requiring physical access to a user's device

  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)

  • Login/logout CSRF

  • Password and account recovery policies, such as reset link expiration or password complexity

  • Reports of spam

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Social engineering (e.g. phishing, vishing, smishing) of Bitso staff or contractors

  • Any physical attempts against Bitso property or data centers

  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

Safe Harbor


Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

The Fine Print


You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Thank you for helping keep the crypto community safe!

In Scope

Scope Type Scope Name
android_application

com.bitso.wallet

android_application

com.bitso.alpha

ios_application

1292836438

ios_application

1539469172

web_application

bitso.com

web_application

api.bitso.com

web_application

bitso.com/alpha

web_application

nvio.mx

web_application

nvio.ar

Out of Scope

Scope Type Scope Name
web_application

help.bitso.com

web_application

status.bitso.com

web_application

dev.bitso.com

web_application

blog.bitso.com

web_application

devmalta.bitso.com

web_application

edu.bitso.com

web_application

stage.bitso.com

web_application

landing.bitso.com

web_application

sandbox.bitso.com

web_application

api-dev.bitso.com

web_application

api-stage.bitso.com

web_application

api-sandbox.bitso.com

web_application

stagemalta.bitso.com

web_application

dev.nvio.mx

web_application

stage.nvio.mx

web_application

sandbox.nvio.mx

web_application

dev.nvio.ar

web_application

stage.nvio.ar

web_application

sandbox.nvio.ar


This program crawled on the 2021-03-29 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy