Please note that your participation in the eToro Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page. By submitting a report, you acknowledge that you have read and agreed to these terms.

eToro works vigilantly with the information security community to help keep our customer's personal information secure. If you believe you have found a security vulnerability on eToro's systems, we would appreciate your help in disclosing it to us in a responsible manner.

We will investigate all reports and fix vulnerabilities according to our security policy. Please make a good faith effort to avoid privacy violations and disruptions to others. If you encounter any private information, please let us know.

Bug Bounty Policy

We ask that:

• You provide us reasonable time to investigate and mitigate all reports. We’ll try to keep you informed about our progress throughout the process but we are not obligated to.

• Any finding provided by you shall be confidential and cannot be disclosed to third parties (even resolved ones) without our express consent. violations of this section could disqualify you from the program.

• You do not interact with an individual account (which includes modifying or accessing data from the account) without the owner’s written consent.

• You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.

• You refrain from exploiting a security issue you discover for any reason (this includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

• You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.

• For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

Bug Bounty Program Terms:

We recognize security researchers help us keep people safe by reporting vulnerabilities in our services.

• If you use an account on our platform for testing, you must sign up using your HackerOne email address.

• The following details must be recorded by the hacker prior to any testing and may be requested by eToro: IP Address, User-agent, Usernames used in the platform (when used).

• Adhere to our policy.

• Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk (note that eToro ultimately determines the risk of an issue and that many software bugs are not security issues.)

• If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.

• Do not interact with other accounts without written consent.

• Your activities must not violate any law, or disrupt or compromise any of eToro data.

• We highly appreciate including steps to remediation in your report.

• We reserve the right to publish reports (and accompanying updates).

• By making a submission, you represent and warrant that the report is original to you.

• We reserve the right to modify the eToro Bug Bounty Program terms and conditions at any time.

Please note:

• Testing out-of-scope assets will lead to an escalation to HackerOne.

• Usage of automated tooling in order to send a massive amount of requests including Stress Testing is strictly forbidden and could result in being removed from the program.

• File upload vulnerabilities are in scope, however, please refrain from creating large request volumes (over 75 files).

Vulnerabilities that will be triaged as Low (until further notice):

• Subdomain takeover

• Missing SPF/DKIM/DMARC records on any of our domains.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the impact of the bug. The following issues are considered out of scope:

• Any vulnerability regarding Facebook SDK on mobile.

• WordPress vulnerabilities with low/medium severity.

• Vulnerabilities on pages with no sensitive actions or information.

• Unauthenticated/logout/login CSRF.

• Lack of rate-limit.

• Clickjacking/CORS (We are using Cordova framework on mobile platforms which sadly requires broken CORS).

• Username/email enumeration.

• Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address has an eToro account.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• CSV injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

Any information you receive or collect about eToro through the eToro Bug Bounty Program must be kept confidential and only used in connection with the eToro Bug Bounty Program. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information regarding your submission and information you obtain when researching the eToro sites, without eToro’s prior written consent.

As a condition of participation in the eToro Bug Bounty Program, you hereby grant eToro and its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the submission, as well as any materials submitted to us in connection therewith, for any purpose. You should not send us any report that you do not wish to license to us. You hereby represent and warrant that the any submission made by you to us is original to you and you own all right, title and interest in and to it, and you waive any right or claim of any nature you may have arising from submitting a report to us.

Please note that if we discover that you breached any of your obligations above we will remove you from the eToro Bug Bounty Program and disqualify you from receiving any payments.

Thank you for helping keep eToro and our users safe!