coinswitch

Bug Bounty

CoinSwitch is commited to security. We reward reporters for the responsible disclosure of in-scope issues and exploitation techniques.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

bug

Purpose

To allow highly skilled external security researchers to submit their findings to us through a proper vulnerability disclosure process.

Eligibility and Responsible Disclosure

We encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:

Dot

Follow the Vulnerability Disclosure Guidelines
As our platform lays out, please read and follow the Vulnerability Disclosure Guidelines.

Dot

Respect all our users' privacy
Limit testing to accounts you own and do not impact other users. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.

Dot

Bend, but not break
When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.

Reporting

Only reports that meet the following requirements are eligible to receive a monetary reward:

Dot

You must be the first reporter of the vulnerability.

Dot

The vulnerability must demonstrate security impact to a site or application in scope (see below).

Dot

You must not have compromised the privacy of our users.

Dot

You must not have publicly disclosed the vulnerability prior to the report being closed.

Dot

We are not legally prohibited from rewarding you.

Depending on their impact, issues may qualify for a monetary reward.

When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect other users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.

The following issues are outside the scope of our vulnerability rewards program
(either ineligible or false positives):

Dot

Attacks requiring physical access to a user's device.

Dot

Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).

Dot

Logout CSRF.

Dot

Password and account recovery policies, such as reset link expiration or password complexity.

Dot

Invalid or missing SPF (Sender Policy Framework) records.

Dot

Content spoofing/text injection.

Dot

Bypass of URL malware detection.

Dot

Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.

Dot

Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.

Dot

Issues relating to unlocking client-side features in modified applications, rooted devices, or jailbroken devices.

Special thanks to all those who have helped CoinSwitch:

2023
Dot

Shikhar Tyagi

Dot

Nitish Shah

Dot

Aniket Kudale

Dot

Prakash Kumar

Dot

Mridul Rastogi