Crypto.com Bug Bounty Program_
Crypto.com recognizes the importance of security researchers in helping keep
our community safe. We encourage responsible disclosure of security
vulnerabilities via our bug bounty program described on this page.
Note: This program is for the disclosure of software security
- Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
- By submitting a bug, you agree to be bound by the rules.
In Scope Assets See Structured Scope
- An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.
- All services provided by Crypto.com are eligible for our bug bounty program, including the MCO APP Wallet and Exchange.
- Note: Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.
- Over time, additional apps or web application may come into scope, so please check back regularly.
- For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.
Out of Scope
The following domains below are hosted by third parties, and are not currently
eligible for our bug bounty program (unless they lead to a vulnerability on
the main website):
- Any other service not directly hosted or controlled by Crypto.com. Crypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.
We categorize bug reports into Low, Medium, High and Critical security risk
vulnerabilities. Rewards are administered according to the following
SEVERITY | CVSS SCORE | REWARD
Critical | 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance
| $7500 + receive a MCO metal card without lockup + Swag
High | 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions,
Authentication bypasses, Loss of privileged information (passwords, API keys,
private keys, etc.) | $3,000 + receive a MCO metal card without lockup + Swag
Medium | 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability
with clear potential for financial loss, Loss of user personal information
(addresses, phone numbers, etc) | $1000 + Swag
Low | 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding
logout CSRF) | $250 + Swag
***To receive the MCO card and Swag we will need a postage address.
Note: If the Report does not include a valid Proof-of-Concept, the
qualification of rewards will be decided according to reproducibility and
severity of the vulnerability, and the rewards amount may be reduced
We have not set a maximum reward for the reporting of security
vulnerabilities, and may increase reward amounts based on the severity of the
vulnerability found. The specific amount of the bug will vary according to:
- The effect of the bug.
- The cause of the bug.
- Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
- The process through which the bug was discovered. Besides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward.
Non-Qualifying Vulnerabilities in the Mobile Apps
- Software bugs that have no security impact.
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on external storage and private directory.
- Lack of obfuscation is out of scope
- auth "app secret" hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
- Distributed denial of service attacks (DDOS).
- Lack of binary protection (anti-debugging) controls.
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
- Already known issues, e.g. issues already reported by other researchers.
- Issues that aren’t reproducible.
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Require physical connection to the device with developer-level debugging tool including but not limited to ADB.
- Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.
- Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.
- Exploit is based on a complex scenario or the probability of exploit is very low.
- Reports based on information that is already public.
- Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.
Previously Known Issues
- Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible.
- Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.
- MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible.
- By submitting a bug, you agree to be bound by the above rules.
Hall of Fame