Securitize looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Securitize will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 3 days |

| Time to Triage | 3 days |

| Time to Bounty | 7 days (We respect your time and don't hesitate to reward) |

| Time to Resolution | depends on severity and complexity , typically pretty fast though |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Securitize.

Minimum reward for a vulnerability report: $50.

All payments are made through HackerOne

In scope vulnerabilities

Technical vulnerabilities or security-related problems in any of our company's internet public surface (websites and subdomains underneath Securitize's control)

Technical vulnerabilities or security-related problems in our company's Operators/Investors applications.

External Dependencies

Securitize makes use of a number of open (and closed) source libraries. If you discover a vulnerability in

an open source dependent library or OS component, we advise you to follow responsible disclosure procedures directly with the library or OS vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components. However, if one of those libraries included you can demonstrate a serious vulnerability of any of our software/servers as a result of that library with a working Proof of Concept, we will on a case-by-case basis consider this in-scope and grant rewards.

Out of scope vulnerabilities

Invalidate session after password reset vulnerabilities is out of scope

All Rate limit vulnerabilities Or DOS attacks are out of the the program scope

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Weaknesses that would require Email Phishing or Social Engineering

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify * HTML/CSS

• Sites/Software that is run entirely by another company that is simply subdomain-ed or linked to from our company. Eg: Constant Contact, Zendesk, etc.

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers or wallets [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Package include/dependency vulnerabilities without demonstrating a vulnerability.

Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• (KNOWN ISSUE) Disclosure of methods/endpoints/api keys involving 3rd party blockchain APIs (ex. bitcoin, tezos, waves etc) including known embedded API key, and known outdated swaggerhub/openapi issue. (also mentioned in specific scopes for increased awareness)

• DLL Hijacking vulnerabilities.

The following issues are currently considered do not attempt without permission:

• Extended testing/attacks of Securitize servers or infrastructure

• Rate limiting or brute-force attacks on Securitize backend infrastructure

• Any activity that could lead to the disruption of our service (DoS).

To request permission, please email Security@securitize.io and mention the details of your test including what endpoint(s) you will be hitting, what type of scan/attack/etc you would like to try, and what you're trying to achieve. We will respond within 2 working days, ideally less to your request. As long as it is reasonably well thought out and we don't see a risk on our end, we will approve the request.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Securitize and our users safe!