COBINHOOD SECURITY POLICY PAGE

COBINHOOD is the next-generation cryptocurrency service platform with security as its top
priority. COBINHOOD recognizes the importance of security researchers in helping keep the
platform and the users’ assets and information safe.

Which is why we encourage responsible disclosure of security vulnerabilities on our platform
through the bug bounty program described below.

NAMING CONVENTION REQUIRED TO PARTICIPATE:

We have a KYC team approving new users. Please use the following naming convention while carrying out any testing:

• FIRST NAME: [Your First Name+Hacker]
• LAST NAME: [Your Last Name+One]

Responsible Disclosure

Responsible disclosure includes:
Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
Ensuring that efforts will be done in good faith to not leak or destroy any COBINHOOD’s user data.
Not defrauding COBINHOOD’s users or COBINHOOD itself in the process of discovering these vulnerabilities.

To promote responsible disclosure, the COBINHOOD team promises not to bring legal action against researchers who point out a problem provided that the researchers do their best to follow the guidelines stated above.

SLA

COBINHOOD, Ltd. will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 5 business days
• Time to triage (from report submit) - 10 business days
• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of COBINHOOD, Ltd.

The minimum payout is $100 USD for reporting a low severity with possibility for direct exploitation. The maximum reward is $4000, and we may award higher amounts based on the severity or creativity of the vulnerability found. Please reference the Bounty Table at the top of our page.

Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We are interested in:

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions
[2] Privileged information includes: passwords, API keys, bank account numbers, social security
numbers or equivalent information

Scope

The scope of this program is limited to security vulnerabilities found on the COBINHOOD website. All services provided by COBINHOOD are eligible to our bug bounty program, including the API,
Merchant Tools, and the Exchange.

Vulnerabilities reported on other properties or applications are currently not eligible for reward.
High impact vulnerabilities outside of this scope might be considered on a case-by-case basis.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS Lack of password length restrictions
• Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
• Self-XSS
• Denial of service
• Spamming
• Vulnerabilities in third-party applications which make use of the COBINHOOD API
• Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)
• Logout CSRF
• User existence/enumeration vulnerabilities
• Password complexity requirements
• Reports from automated tools or scans (without accompanying demonstration of exploitability)
• Social engineering attacks against COBINHOOD employees or contractors
• Text-only injection in error pages

Important: When reporting a vulnerability, you must provide an attack scenario and/or examples of the attack. Without this, we reserve the right to reject the bug as Not Applicable. COBINHOOD will determine, at its discretion, whether a vulnerability is eligible for a reward and the amount of the award.

By submitting a bug, you agree to be bound by the rules mentioned.

Thank you for helping keep COBINHOOD, Ltd. and our users safe!