Railto recognizes the role the research community plays and encourages
responsible disclosure in order to keep our businesses and customers safe.
This is a vulnerability disclosure program and does not currently monetarily
reward bounties. We look forward to partnering with you.
You can sign up for a free account at https://www.railto.com
- Cryptocurrency balances
- 2FA bypasses
- Customer information
In addition to the above focus areas, we are most interested in:
- SQL Injection
- Cross-site Scripting (XSS)
- Server-side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- Cross-site Request Forgery (CSRF)
Railto, LLC will make a best effort to meet the following SLAs for researchers
participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
We’ll try to keep you informed about our progress throughout the process.
- By submitting a report, you agree to not publicly disclose or share the vulnerability with any third party until receiving confirmation from Railto that the vulnerability has been remediated.
- Once a vulnerability has been resolved, we will publicly disclose it unless otherwise requested by the disclosing researcher.
- Follow HackerOne's disclosure guidelines __.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be triaged.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Vulnerabilities requiring outdated browsers and platforms.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Missing cookie flags on non-sensitive cookies.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
This program have been found on Hackerone on 2019-10-01.