Security of user funds, data and communication is of utmost importance to
Gatecoin. In pursuit of the best possible security for our service, we welcome
responsible disclosure of any vulnerability you may find in Gatecoin. In order
to encourage responsible disclosure, we will not pursue legal action against
researchers who point out a problem provided they do follow principles of
responsible disclosure which include, but are not limited to:
Only access, expose, or modify your own customer data. Do not perform any attack that could harm the reliability or integrity of our services or data.
Avoid scanning techniques that are likely to cause degradation of service to other customers. (DoS, Spamming)
Keep within the guidelines of our Terms of Service.
Always keep details of vulnerabilities secret until Gatecoin has been notified and had a reasonable amount of time to fix the issue.
We may suspend your account and ban your IP if you do not respect these
In order to be eligible for a bounty, your submission must be accepted as
valid by Gatecoin. We use the following guidelines to determine the validity
of requests and the reward compensation offered.
Our engineers must be able to reproduce the security flaw from your report.
Reports that are too vague or unclear are not eligible for a reward. Reports
that include clearly written explanations and working code are more likely to
More severe bugs will be met with greater rewards. Any bug which has the
potential for financial loss or data breach is of sufficient severity.
In general, vulnerabilities that may lead to lower rewards are those that do
not cause one or several of the following results:
Partial/complete loss of funds
User information leak
Severe performance impact (other than DoS)
Loss of accuracy of exchange data
Gatecoin reserves the right to decide if the minimum severity qualification
threshold is met and whether it was already reported.
Authentication bypass or privilege escalation
Cross-site scripting (XSS)
Cross-site request forgery (CSRF/XSRF)
Server-side code execution
User data breach
Reporting the following vulnerabilities is appreciated but will not lead to
systematic reward from Gatecoin.
Denial of Service vulnerabilities (DoS)
Possibilities to send malicious links to people you know
Security bugs in third-party websites that integrate with Gatecoin API
Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on Gatecoinwebsite
Usability issues, forms autocomplete
Insecure settings in non-sensitive cookies
Browser Cache vulnerabilities
Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible
Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
Vulnerabilities (including XSS) that affect only legacy browser/plugins
Disclaimer: the Blog is currently out of scope for the Bug Bounty
Only one bounty will be awarded per vulnerability.
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
To receive a reward, you must reside in a country not on international
sanctions lists. This is a discretionary program and Gatecoin reserves the
right to cancel the program and/or decide if the minimum severity threshold is
reached and if it was previously reported.
Please email us at email@example.com with
any vulnerability reports or with any question about the program. You can also
participate via our program on Crowdcurity.
This program crawled on the 2015-07-01 is sorted as bounty.