CoinSwitch is commited to security. We reward reporters for the responsible disclosure of in-scope issues and exploitation techniques.
If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.
To allow highly skilled external security researchers to submit their findings to us through a proper vulnerability disclosure process.
Eligibility and Responsible Disclosure
We encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:
Follow the Vulnerability Disclosure Guidelines
As our platform lays out, please read and follow the Vulnerability Disclosure Guidelines.
Respect all our users' privacy
Limit testing to accounts you own and do not impact other users. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.
Bend, but not break
When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.
Only reports that meet the following requirements are eligible to receive a monetary reward:
You must be the first reporter of the vulnerability.
The vulnerability must demonstrate security impact to a site or application in scope (see below).
You must not have compromised the privacy of our users.
You must not have publicly disclosed the vulnerability prior to the report being closed.
We are not legally prohibited from rewarding you.
Depending on their impact, issues may qualify for a monetary reward.
When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect other users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken.
The following issues are outside the scope of our vulnerability rewards program
(either ineligible or false positives):
Attacks requiring physical access to a user's device.
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
Password and account recovery policies, such as reset link expiration or password complexity.
Invalid or missing SPF (Sender Policy Framework) records.
Content spoofing/text injection.
Bypass of URL malware detection.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.
Issues relating to unlocking client-side features in modified applications, rooted devices, or jailbroken devices.
Special thanks to all those who have helped CoinSwitch: