Bug Bounty
Welcome Bounty Hunters!
CoinSwitch is committed to a collaborative program that encourages security professionals to work together in safeguarding our systems and customer's personal information from malicious activities. Our focus is on establishing robust security policies throughout our organization, prioritizing the safety and security of our customer‘s personal information above all else.
Should you come across a potential security vulnerability, we strongly encourage you to promptly report it to us. We treat all reports with utmost seriousness and will thoroughly investigate and address any valid findings.
In line with our commitment to customer protection, CoinSwitch adheres to a policy of not publicly disclosing, discussing, or confirming security matters until a thorough investigation, diagnosis, and resolution of any identified issues have been undertaken.
Vulnerability Disclosure Guidelines
1. DOs
Read and abide by the program policy.
Exercise caution when testing to avoid negative impact to customers and the services they depend on.
Perform testing using only accounts that are your own personal accounts or an account that you have the explicit permission from the account holder to utilize.
Stop when unsure. If you think you may cause, or have caused, damage while testing a vulnerability, report your initial finding and request authorization to continue testing.
2. DONTs
Do not violate the privacy of other users, destroy data or disrupt our services.
Do not Brute force credentials or guess credentials to gain access to systems.
Do not participate in denial of service attacks.
Do not upload shells or create a backdoor of any kind.
Do not engage in any form of social engineering attacks.
Do not publicly disclose vulnerability reports that are not resolved and approved for disclosure by CoinSwitch.
Do not engage or target any CoinSwitch employee, customer or vendor during your testing.
Legal Considerations
We value your involvement, but it's crucial to adhere to and show respect for all relevant laws and regulations. Security researchers who engage responsibly and in good faith within the bug bounty program will not face legal consequences. However, any unauthorized actions or attempts to exploit vulnerabilities outside the specified scope will be addressed in accordance with the law.
How to submit a Good Quality Report
Good quality reports lead to quicker resolution and more accurate reward.
Include detailed and easy to follow reproduction steps along with screenshots or videos to support your finding.
Clearly describe the real world impact, that your finding could have on CoinSwitch assets or CoinSwitch customers.
Video proof-of-concepts (PoCs) will only be considered with a completed report. Stand alone video proof-of-concepts will automatically be closed.
A vulnerability must be reproducible for us to be considered in-scope.
How to report an Issue
Send your report via email to our team at security@coinswitch.co
Rewards
The CoinSwitch Bug Bounty team retains the authority to determine all bounty amounts.
The decision regarding bounty payouts and the corresponding amounts, if any, rests solely with us. We are under no obligation to provide a payout for any submission.
Bounty amounts are generally assessed based on the criticality & impact of the findings.
Reports submitted through methods that violate policy rules will not qualify for a reward.
For eligibility, the report must pertain to a reward-eligible asset, as defined in the scope section of our policy.
It is important to recognize that there may be submissions for which we accept the risk, employ other compensating controls, or handle in a manner different from expectations.
Please note that previous bounty amounts do not serve as precedents for future bounty amounts.
The severity and business impact of the reported vulnerability will be assessed to determine eligibility for rewards. Only vulnerabilities evaluated as having a high business impact by the CoinSwitch security team will be rewarded, subject to the sole discretion of CoinSwitch.
Target In-Scope
- Coinswitch.co
- CoinSwitch Android App
- CoinSwitch iOS App
Exclusions or Out-of-Scope Issues
Expand this