FireBounty
52235 policies in database
Link to program      
2021-03-29
Remitano logo
Thank
Gift
HOF
Reward

Reward

Remitano

Introduction

Remitano recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.

Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Remitano account has been compromised, change your email password and immediately contact support via support@remitano.com.

The Bug Bounty Program directly serves Remitano's mission by helping us be the trusted way to exchange between fiat and cryptocurrencies. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :

  • Cryptocurrencies and fiat currency balances

  • Customer information

Response Times

Remitano will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days

  • Time to triage (from report submit) - 2 business days

  • Time to bounty (from triage) - 14 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules of Engagement

  • Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.

  • We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities. As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the #legalbugbounty project.

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Remitano

  • Follow HackerOne's disclosure guidelines.

  • Making a good faith effort to preserve the confidentiality and integrity of any Remitano customer data.

  • Not defrauding Remitano customers or Remitano itself in the process of participating in the Bug Bounty Program.

  • Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Remitano.

  • Reporting vulnerabilities with no conditions, demands, or ransom threats.

Remitano considers Social Engineering attacks against Remitano employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Remitano employees will be banned from the Remitano Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Remitano.

Rewards

| | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9) |

|-----------------|----------------------------|-----------------------|-------------------------|----------------------|

| Class A Rewards | $10,000 | $5000 | $3000 | $1000 |

| Class B Rewards | $5,000 | $2,500 | $1,500 | $500 |

| Class C Rewards | $2,500 | $1,250 | $500 | $100 |

A report must be a valid, in scope report in order to qualify for a bounty. Remitano will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Report Evaluation

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Remitano that harms Remitano or Remitano customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

Please be available to cooperate with the Remitano engineering team to provide further information on the report if needed.

On Treating Similar Vulnerabilities

In particular, we may decide that multiple reports are so closely related, or all caused by a single underlying root case, and thus consider these multiple reports as a single vulnerability and only reward once.

Vulnerabilities Categorization

We categorize issues in to classes as of below:

| Class of issues | Examples | Class of consideration | | |

|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|---|---|

| Fund being stolen | 1) Reversal of crypto deposit 2) Re-processing of completed fiat or crypto withdrawal 3) Successfully by passing two factor authentication to withdraw user fiat or crypto balance | Class A - highest | | |

| Compromise customer information | 1) Be able to access to other user trading history 2) Successfully compromise a user account without access to his email, google account or facebook account | Class B - medium | | |

| Other issues | 1) Crash or delay remitano website without performing DDOS attack | Class C - low |

Note that we are not considering these as a valid security attacks:

  1. abusive reversal using ACH / bank transaction / credit card chargeback

  2. log in without 2FA code - this is designed as a feature (we ask for 2FA code when fund need to be moved)

Remidemo Testnet (https://remidemo.com)

As of 14 December 2020, Remitano has pushed out the Remidemo Testnet for researchers' testing.

  • Remidemo is a replica system of our Remitano production system. Please note that the usernames in both systems are totally independent, so please ensure that you register a new username on the the Remidemo testnet.

Requesting for privilege features on Remidemo

There are some areas in the Testnet which you may request from us for additional privileges to test:

  • Eg: If you need a verified account to open and buy advertisement, you can update with some sample images and request to verify your account

  • Eg: Request coin balance to test the trading feature

To request for any of such privilege specific features, kindly fill up this Google form and we will approve your requests manually in 24 hours. We are looking to automate such requests in the near future. If you have several requests, please note that you will need to submit the form multiple times.

Remitano Testing Guidance

Remitano Technology stacks:

  • Amazon Web Services

  • Cloudflare

  • Node.js

  • PostgreSQL

  • Ruby on Rails

  • React/React Native

Product Features:

  1. P2P escrow - connect buyers and sellers to trade cryptos (https://remitano.com). We support P2P escrow trading on 6 currencies: BTC, ETH, USDT, XRP, LTC, BCH.

  2. Wholesale - created for large traders (https://wholesale.remitano.com) with competitive trading fees, which is much lower than some of the largest exchanges in the world.

  3. Swap - Swap instantly between cryptos (https://remitano.com/dashboard/wallets)

  4. Invest - Open invest positions with altcoins with Tether USDT (or purchase directly with Fiat) (https://remitano.com/invest)

  5. Forum - Content Management System, user can submit their own posts, our content team will review and publish user contents - (https://remitano.com/forum)

  6. Wallet - Crypto Wallet management, we support deposit and withdrawal instantly for BTC, ETH, USDT (3 chains: Omni Tether, ERC-20 on Ethereum, TRC-20 on Tron), XRP, LTC, BCH. (https://remitano.com/dashboard/wallets)

  7. Multi-level Referral program (https://remitano.com/r/referral)

  8. Remitano API - Allows access to all of the features of the Remitano platform. Docs: https://developers.remitano.com

  9. Remitano Pay - Add Remitano Payment Gateway to third party ecommerce websites (https://remitano.com/payment_gateway)

Product Updates [We will keep this section regularly updated with new releases]

Recent releases:

  • 04/2022: Launch nft5.io

  • 11/2021: Launch AMM Liquidity Pool and Swap: https://remitano.com/pool

  • 07/2021: Introduce RENEC Network mining feature https://remitano.com/remitano_pay

  • 06/2021: Launched Remitano Payment Gateway - https://remitano.com/payment_gateway

View this document for the full list of Remitano product updates, including those from early 2020 and 2019.

Out-of-Scope Vulnerabilities

Our scope is listed below in the structured scope section. Additionally, all vulnerabilities that require or are related to the following are out of scope:

  • Social engineering

  • Physical security

  • Non-security-impacting UX issues

  • Vulnerabilities or weaknesses in third party applications that integrate with Remitano

  • Bring down Remitano with DDOS Attack

  • Abusive reversal using ACH / bank transaction / credit card chargeback

  • Log in without 2FA code - this is designed as a feature (we ask for 2FA code when funds need to be moved)

If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

Legal and Fine Print

Remitano pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.

If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Remitano cannot and does not authorize security research on other entities.

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

The current Bug Bounty Program as described on this page is v1.1 of our Bug Bounty Program.

In Scope

Scope Type Scope Name
android_application

com.remitano.remitano
ios_application

1116327021
web_application

www.remitano.com
web_application

api.remitano.com
web_application

socket.remitano.com

Out of Scope

Scope Type Scope Name
web_application

blog.remitano.com
web_application

support.remitano.com
web_application

cdn.remitano.com
web_application

s3.remitano.com
web_application

sendgrid.remitano.com
web_application

status.remitano.com
web_application

developers.remitano.com
web_application

security.remitano.com

This program crawled on the 2021-03-29 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy