coinswitch

Bug Bounty

Welcome Bounty Hunters!

CoinSwitch is committed to a collaborative program that encourages security professionals to work together in safeguarding our systems and customer's personal information from malicious activities. Our focus is on establishing robust security policies throughout our organization, prioritizing the safety and security of our customer‘s personal information above all else.
Should you come across a potential security vulnerability, we strongly encourage you to promptly report it to us. We treat all reports with utmost seriousness and will thoroughly investigate and address any valid findings.
In line with our commitment to customer protection, CoinSwitch adheres to a policy of not publicly disclosing, discussing, or confirming security matters until a thorough investigation, diagnosis, and resolution of any identified issues have been undertaken.

bug

Vulnerability Disclosure Guidelines

1. DOs

Dot

Read and abide by the program policy.

Dot

Exercise caution when testing to avoid negative impact to customers and the services they depend on.

Dot

Perform testing using only accounts that are your own personal accounts or an account that you have the explicit permission from the account holder to utilize.

Dot

Stop when unsure. If you think you may cause, or have caused, damage while testing a vulnerability, report your initial finding and request authorization to continue testing.

2. DONTs

Dot

Do not violate the privacy of other users, destroy data or disrupt our services.

Dot

Do not Brute force credentials or guess credentials to gain access to systems.

Dot

Do not participate in denial of service attacks.

Dot

Do not upload shells or create a backdoor of any kind.

Dot

Do not engage in any form of social engineering attacks.

Dot

Do not publicly disclose vulnerability reports that are not resolved and approved for disclosure by CoinSwitch.

Dot

Do not engage or target any CoinSwitch employee, customer or vendor during your testing.

Legal Considerations

We value your involvement, but it's crucial to adhere to and show respect for all relevant laws and regulations. Security researchers who engage responsibly and in good faith within the bug bounty program will not face legal consequences. However, any unauthorized actions or attempts to exploit vulnerabilities outside the specified scope will be addressed in accordance with the law.



How to submit a Good Quality Report

Dot

Good quality reports lead to quicker resolution and more accurate reward.

Dot

Include detailed and easy to follow reproduction steps along with screenshots or videos to support your finding.

Dot

Clearly describe the real world impact, that your finding could have on CoinSwitch assets or CoinSwitch customers.

Dot

Video proof-of-concepts (PoCs) will only be considered with a completed report. Stand alone video proof-of-concepts will automatically be closed.

Dot

A vulnerability must be reproducible for us to be considered in-scope.

How to report an Issue

Send your report via email to our team at security@coinswitch.co


Rewards

Dot

The CoinSwitch Bug Bounty team retains the authority to determine all bounty amounts.

Dot

The decision regarding bounty payouts and the corresponding amounts, if any, rests solely with us. We are under no obligation to provide a payout for any submission.

Dot

Bounty amounts are generally assessed based on the criticality & impact of the findings.

Dot

Reports submitted through methods that violate policy rules will not qualify for a reward.

Dot

For eligibility, the report must pertain to a reward-eligible asset, as defined in the scope section of our policy.

Dot

It is important to recognize that there may be submissions for which we accept the risk, employ other compensating controls, or handle in a manner different from expectations.

Dot

Please note that previous bounty amounts do not serve as precedents for future bounty amounts.

Dot

The severity and business impact of the reported vulnerability will be assessed to determine eligibility for rewards. Only vulnerabilities evaluated as having a high business impact by the CoinSwitch security team will be rewarded, subject to the sole discretion of CoinSwitch.

Target In-Scope

Exclusions or Out-of-Scope Issues

chevron

Expand this

Special thanks to all those who have helped CoinSwitch: