Kriptomat Bug Bounty
At Kriptomat we are putting a lot of effort into making our platform and mobile app bug-free. Despite all our efforts, it might still happen that we have missed a bug in our platform with significant vulnerability. In case you discover a bug please investigate it responsibly in cooperation with us and report the findings to us so we can address it with high priority. As a sign of appreciation for cooperating with us, we offer reward and recognition on our Wall of Fame.
Responsible Investigation and Reporting
Responsible investigation and reporting include, but isn’t limited to, the following:
- Consider the privacy of other users, don’t destroy data, don’t disrupt our services, etc.
- Only target your own accounts in the process of investigating the bug. Don’t target, attempt to access, or otherwise disrupt the accounts of other users.
- Stay away from targeting our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- Disclose the bug only to us and not to anyone else.
- Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
Eligibility
Generally speaking, any bug that poses a significant vulnerability, either to the security of our site, mobile app or the integrity of Kriptomat platform, could be eligible for the reward. But it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for the reward.
Security issues that typically would be eligible (though not necessarily in all cases) include:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Injection
- Eavesdropping
- Remote Code Execution
- Privilege Escalation
- Broken Authentication
- Clickjacking
- Sensitive Data Exposure
Ineligibility
Vulnerabilities that are not eligible for rewards — and are out of the scope of the bounty program — include:
- Vulnerabilities on sites hosted by third parties (KYC provider, payment providers, etc) unless they lead to a vulnerability on the main website.
- Vulnerabilities and bugs on the Kriptomat sites (www.kriptomat.io, kriptomat.io, mintapp.kriptomat.io).
- Vulnerabilities that are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities that are affecting outdated or unpatched browsers.
- Bugs that have not been responsibly investigated and reported.
- Bugs that are already known to us, or already reported by someone else (reward goes to the first reporter).
- Issues that aren’t reproducible.
- Issues that we can’t reasonably be expected to do anything about.
Reward
- The minimum reward for eligible bugs is the equivalent of 100 EUR in Bitcoins.
- Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues.
- Only one reward per bug.
How to Report a vulnerability
- Please submit the required information in our Bug Bounty program form.
- Include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
- Please allow 7 business days for us to respond before sending another email.