A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Contact: psirt@gemini.com
Expires: 2024-07-31T20:33:00.000Z
Encryption: https://www.gemini.com/static/pgp/gemini.asc
Preferred-Languages: en
Canonical: https://gemini.com/.well-known/security.txt
Hiring: https://www.gemini.com/careers

Bug Bounty Program Policy

At Gemini, we welcome contributions from security researchers to help us build and secure the future of money. If you believe you’ve discovered a vulnerability, please submit a PGP-encrypted report to the contact address listed above. Our team will investigate all valid reports and do our best to respond in a timely manner. To ensure all parties' expectations are met, please review the entirety of this policy before submitting a report to Gemini. By making a submission or otherwise participating in this program, you acknowledge your agreement to the terms set forth below.

Testing Guidance

Whenever possible, research and testing should be performed on our sandbox. The sandbox provides researchers with easy and unfettered access to our platform, including expedited account registration and the ability to interact with fictitious funds. The sandbox versions of our properties can be found at the following locations:
	api.sandbox.gemini.com
	docs.sandbox.gemini.com
	exchange.sandbox.gemini.com
	mobile.exchange.sandbox.gemini.com
	mobile.sandbox.gemini.com
	sandbox.gemini.com
	static.sandbox.gemini.com

Out-of-scope Issues

All vulnerabilities related to or requiring the following are considered outside the scope of this program:
	Reports relating to login/logout CSRF;
	Reports relating to email enumeration;
	Reports relating to password strength or complexity;
	Reports relating to missing security hardening headers;
	Reports relating to rate limiting issues;
	Reports that target vulnerabilities on outdated or deprecated browsers, open source libraries, or infrastructure;
	Reports from automated tools or scans;
	Vulnerabilities that involve physical access to a device;
	Vulnerabilities or weaknesses in third party applications that integrate with Gemini;
	Social engineering of Gemini's employees, contractors, or customers;
	Our policies on presence/absence of SPF/DMARC/DKIM/CAA/BIMI records;
	Physical attempts to gain access to Gemini property or data centers;
	Ability to abuse existing banking functionality such as ACH or credit card chargebacks;
	Any access to data where the targeted user needs to be operating a rooted or jailbroken mobile device;
	Self-XSS or developer console code execution;
	Click-jacking, or issues only exploitable via click-jacking;
	API keys embedded in mobile applications and web front ends with no security impact, including but not limited to Google Maps, Sentry, MixPanel, and public keys; and
	URLs and parameters leaked to 3rd parties without demonstrated attacker access.

Coordinated Disclosure Requirements

Complying with our safe harbor policy requires researchers to adhere to a Coordinated Disclosure process. Coordinated Disclosure requires that researchers abide by the following requirements:
	Share a detailed report that includes all information as it relates to the vulnerability;
	Provide the Gemini team with a reasonable amount of time to respond to details outlined in the report, before providing any information to anyone other than Gemini;
	Do not access or modify our data or our users’ data without explicit permission. Only interact with your own accounts or test accounts for security research purposes;
	Do not profit from or allow another party to profit from a vulnerability;
	Do not defraud Gemini or its customers in the process of participating in our program;
	Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
	If you inadvertently caused a privacy violation, or accessed, modified or destroyed any user data, you must disclose this in your report; and
	Otherwise comply with all applicable laws.

Safe Harbor Policy

To encourage responsible disclosures, Gemini will not pursue civil action or initiate a complaint to law enforcement for security research if vulnerability disclosure activities are consistent with this policy and guidelines. We consider security research and vulnerability disclosure activities conducted in accordance with this policy and the guidelines set forth below to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA and applicable anti-hacking laws such as Cal. Penal Code 502(c). We waive any DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue its own legal action against you. We cannot and do not authorize security research in the name of other entities. You are expected, as always, to comply with all applicable laws. Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Payouts

Payout eligibility and amounts are decided at the discretion of our Security team and will follow the below mapping.

    Low severity      : $150
    Medium severity   : $350 - $500
    High severity     : $1,500 - $5,000
    Critical severity : $10,000 - $20,000

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful behavior or violations of our Code of Conduct. We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Scopes
	In Scope
		api.sandbox.gemini.com
		docs.sandbox.gemini.com
		exchange.sandbox.gemini.com
		mobile.exchange.sandbox.gemini.com
		mobile.sandbox.gemini.com
		sandbox.gemini.com
		static.sandbox.gemini.com
	Out of Scope
		Any domain not explicitly listed above should be considered out-of-scope. If you believe that a given domain should be considered in-scope, please send an email to contact address listed above.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE0NPvHQMZdktS+NS5jxy+H7c0rXoFAmV4vVUACgkQjxy+H7c0
rXqKwA/+OBZjBhZ8ag53YPBb9nY0jXplkJPIr6XjEedgu0VI1mz3J1nRKWE9i08T
C7QwpXYQmc5PKwF8gbPWD6f5l0iQx+M5AkanV6PUDrsqRD9bcDGa2VHlg4CtmkEO
D2xAcLV7akzbAbSCLPFi4LxS6TLI97znivkSdyb5QqAzzEOwhDEzaLA7tYy6HQcp
nga8iz3F93nNpEDRm1DWAlL+01j5bxxwQraVs6HtXNQ8s9A4aP90AGJ860AnwMGK
y6C2aZ195m4gu0h+kxZ+Pl9t8WnjDixv1SpjM70JC1zG3m/3Gf/JuLCSPT+nh8kF
mv9695H0rd3i6i2kHAlxCsAFq8QgQTwkmVMnxebf92VBHUDY5TVN3vVtb+0zQtYY
uZJDw96SYDRVtrABRFzHKV6cuZKpdFjVVRV01IqlANz30undwpFi2Ucr82xXRYjv
bNCovd+5qXx/V/6Z8N/tAC4vW3AsRzk/l9dOycZ2pbibuWDCcjdLsIam9fki9f9A
S7iE7tvP6IZ02cmAMnBdtqzLfqEmvLDJeSAECNqatSc/smdlom03Kns0hZ1IfjFh
BReMR0MdHj+ug1gi2dCrbEZOWtLt7WZIri6QcFAo3IayIdahLJrHLhReL83EFcBr
S5KevDs/3eb9zRXQSk4XLxG4vMqXkNMfQQsRwc8BLM4h3Ca/pvA=
=sY4C
-----END PGP SIGNATURE-----