Bug Bounty Program

Coins.xyz recognizes the importance and value of security researchers’ efforts in helping to keep our services safe. We encourage responsible disclosure of vulnerabilities via our public bug bounty program (“Bug Bounty Program”) described on this page.

The Bug Bounty Program scope covers all software vulnerabilities in services provided by Coins.xyz.

A valid report should clearly demonstrate a software vulnerability that harms Coins.xyz systems or customers. A report must be a valid, in scope report in order to qualify for a bounty. Coins.xyz will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Program policies

Coins.xyz will not initiate legal action for security research conducted in accordance with this document even with accidental violations made with good faith. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).

If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coins.xyz cannot and does not authorize security research on other entities.

Please receive permission from our Security team (email us at [email protected]) before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.

Researcher requirements

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

• Providing Coins.ph a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
• Making a good faith effort to preserve the confidentiality and integrity of any Coins.xyz customer data.
• Not defrauding Coins.xyz customers or Coins.xyz itself in the process of participating in the Bug Bounty Program.
• Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coins.xyz .
• Reporting vulnerabilities with no conditions, demands, or ransom threats.

Coins.xyz considers Social Engineering attacks against Coins.xyz employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Coins.xyz employees will be banned from the Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Domains in scope

• *coins.xyz

Exclusions

• Theoretical vulnerabilities without actual proof of concept.
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC).
• Clickjacking/UI redressing with minimal security impact.
• Internally known issues, duplicate issues, or issues which have already been made public.
• Tab-nabbing.
• Self-XSS.
• Vulnerabilities only exploitable in old browsers or platforms (e.g. old version of browser which differs from the last stable version or outdated OS which do not receive security updates anymore).
• Lack of security flags in cookies outside of api.coins.asia domain.
• Issues related to unsafe SSL/TLS cipher suites or protocol version.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Missing security headers that do not lead to direct exploitation.
• CSRF with negligible security impact.
• CSP Headers, X-Frame-Options, Content sniffing, HPKP, etc.
• Content or text injection issues that are mitigated by CSP Headers or any other mitigations.
• If you submit a report about a missing/incomplete header, please be absolutely sure you are correct that there is a legitimate problem.
• If you believe that one of the above is affecting a major browser in a negative way, come prepared with a working proof of concept. Reports without a proof of concept will be denied.
• Vulnerabilities that require root/jailbreak.
• Vulnerabilities that require physical access to a user’s device.
• Issues that have no security impact (E.g. Failure to load a web page).
• Assets that do not belong to Coins.xyz.
• Phishing (E.g. HTTP Basic Authentication Phishing).
• Any activity (like DoS/DDoS) that disrupts our services.
• Installation Path Permissions.
• Attacks requiring MITM or physical access to a user’s device.
• Missing best practices without a working Proof of Concept.

Reporting the vulnerabilities

All vulnerabilities should be reported at [email protected]. In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coins.xyz that harms Coins.xyz or our customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

Please include the CVSS v3.1 Score calculation to your report. This will help us to assign the right priority to your report and speed up the process in general. One of the tools that can be used for the calculation: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Reports evaluation

Coins.ph awards bounties based on CVSS v3.1 Overall Score of the vulnerability. In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coins.ph provides the below table which is based on the historical payouts:

The payouts listed above are minimum bounties per Category. Bonuses in excess of the vulnerability category minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.

Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.

How can you contact us about bug bounty questions

If you have questions or concerns regarding this program, you may contact us on our support page or by contacting directly our Security Officer at [email protected]