bitorb bounty program
Important! When reporting a bug, you must provide an attack scenario and/or examples of the attack. Without this, we reserve the right to reject the bug as unverifiable. BitOrb will determine, at its discretion, whether a vulnerability is eligible for a reward and the amount of the award
|Severity||BugCrowd Equivalent||Definition||Reward (USD)|
|Critical||P1||Vulnerabilities that could cause severe system impairment, compromise of user data and cryptocurrency assets||$500|
|High||P2||Unauthorized operations, SQL injections and malicious code injections and source code leakages||$250|
|Medium||P3, P4||Vulnerabilities that affect some users but doesn’t impair system functionality||$100|
|Low||P5||Non critical vulnerabilities||$50|
- Program Rules
- Out of Scope Vulnerabilities
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
UP TO $4000 TO BE AWARDED FOR YOU!
- Our rewards are based on severity. Please note these are general guidelines, and that reward decisions are up to the discretion of BitOrb.
- The minimum payout is $100 USD for reporting a low severity with possibility for direct exploitation. The maximum reward is $4000, and we may award higher amounts based on the severity or creativity of the vulnerability found. Please reference the Bounty Table at the top of our page.
- Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.
We are interested in:
include depositing, trading, or sending money; OAuth or API Key actions
includes: passwords, API keys, wallet addresses, private keys
The scope of this program is limited to security vulnerabilities found on the BitOrb website. All services provided by BitOrb are eligible to our bug bounty program, including the API, and the Exchange.
Vulnerabilities reported on other properties or applications are currently not eligible for reward. High impact vulnerabilities outside of this scope might be considered on a case-by-case basis.
OUT OF SCOPE VULNERABILITIES
- UI and UX bugs and spelling or localization mistakes.
- Vulnerabilities in third-party applications
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
- Publicly accessible login panels without proof of exploitation.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Host header issues without proof-of-concept demonstrating the vulnerability.
- HTTP codes/pages or other HTTP non- codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
- Any CSRF
- Application Error Disclosure
- User enumeration
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site.
- Weak Captcha
- Content injection issues.
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Reflected File Download (RFD).
- Best practices concerns.
- Highly speculative reports about theoretical damage. Be concrete.
- Missing HTTP security headers, specifically, For e.g.
- Host Header
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (i.e. mx records, SPF records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
- Vulnerabilities involving active content such as web browser add-ons
- XSS issues that affect only outdated browsers (like Internet Explorer)
- Issues that require physical access to a victim’s computer.
- Physical or social engineering attempts (this includes phishing attacks against employees).
- Recently disclosed 0day vulnerabilities.
- Microsites with little to no user data
- Most brute forcing issues
- Denial of service
HOW TO REPORT A BUG
Step 1) Visit https://support.bitorb.com/
Step 2) Click on “Create Case”
Step 3) Send us an e-mail with the subject line: Bounty Program
Responsible disclosure includes:
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Ensuring that efforts will be done in good faith to not leak or destroy any BitOrb’s user data.
- Not defrauding BitOrb’s users or BitOrb itself in the process of discovering these vulnerabilities.
- To promote responsible disclosure, the BitOrb team promises not to bring legal action against researchers who point out a problem provided that the researchers do their best to follow the guidelines stated above.
BitOrb, will make a best effort to meet the following SLAs for hackers participating in our program:
- Time to first response (from report submit) – 3 business days
- Time for bug classification (from report submit) – 5 business days
- Time to bounty (from bug classification) – 10 business days
We’ll keep you informed about our progress throughout the process via our customer service portal.