BOUNTY PROGRAM

We are rewarding bounty hunters and white hatters for bringing potential threats, vulnerabilities and even product enhancements to our attention!

Read the T&Cs below

HOW DO YOU START?

You must provide examples of the vulnerability. Without this, we reserve the right to reject the bug as unverifiable. BitOrb will determine, at its discretion, whether a vulnerability is eligible for a reward and the amount of the award. Read the T&Cs below for more details.

SIGN INTO THE PORTAL

SUBMIT CASE WITH BUG DETAILS IN THE FORM PROVIDED

REWARD STRUCTURE

If your bugs/suggestions are implemented, you can be rewarded according to the following structure. Read T&Cs below for more details.

SeverityBugCrowd EquivalentDefinitionReward (USD)
CriticalP1Vulnerabilities that could cause severe system impairment, compromise of user data and cryptocurrency assetsUp To $10,000
HighP2Unauthorized operations, SQL injections and malicious code injections and source code leakagesUp to $1,000
MediumP3, P4Vulnerabilities that affect some users but doesn’t impair system functionalityUp to $250
LowP5Non critical vulnerabilitiesUp to $100

Swipe to View More

  • TERMS & CONDITIONS
  • Scope
  • Out of Scope Vulnerabilities

RULES

  • Please provide detailed cases with reproducible steps. If the case is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • In the case, ensure that you do the following:

Case Type: Bug Bounty

Subject: Choose according to your bug

Title: BugBounty_DescriptionOfYourChoice

Description: Include a detailed description of the bug 

Attachment: Pictures/screenshots/videos are highly encouraged to support your description/case

  • Submit one vulnerability per case, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first case that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Our rewards are based on severity. Please note these are general guidelines, and those reward decisions are up to the discretion of BitOrb.
  • The minimum payout is $50 USD for reporting a low severity with possibility for direct exploitation. The maximum reward is $10,000.
  • Researchers, who provide detailed cases in reports, are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.
  • Rewards are paid out in BTC.
  • If users who successfully contributed to the BitOrb Bounty Program does not want their username to be shown on the Wall of Fame, please inform the marketing department at [email protected] with Subject Line: Bounty Program – Wall of Fame

 

 

RESPONSIBLE DISCLOSURES

  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Ensuring that efforts will be done in good faith to not leak or destroy any BitOrb’s user data. 
  3. Not defrauding BitOrb’s users or BitOrb itself in the process of discovering these vulnerabilities.
  4. To promote responsible disclosure, the BitOrb team promises not to bring legal action against researchers who point out a problem provided that the researchers follow the guidelines stated above. 
 
 

SERVICE-LEVEL AGREEMENTS (SLA)

BitOrb will make the best effort to meet the following SLAs for participants in our program:

  • Time to respond (from case submitted): 3 working days
  • Time for bug classification (from case submitted): 10 working days
  • Time to bounty (from bug classification): 20 working days

We’ll keep you informed about our progress via the customer service portal (support.bitorb.com).

 
 

Scope

  1. The scope of this program is limited to security vulnerabilities found on the BitOrb exchange (testnet.bitorb.com and http://trade.bitorb.com/ ). All services provided by BitOrb are eligible to our bug bounty program, including the API, and the exchange.

  2. Vulnerabilities reported on other properties or applications are currently not eligible for the reward. High impact vulnerabilities outside of this scope might be considered on a case-by-case basis.

  3. Functional bugs reported will be considered on a case by case basis.

OUT OF SCOPE VULNERABILITIES

  1. UI and UX bugs and spelling or localization mistakes.
  2. Vulnerabilities in third-party applications.
  3. Descriptive error messages (e.g. Stack Traces, application or server errors)
  4. Open redirects. 99% of open redirects have a low-security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them.
  5. Publicly accessible login panels without proof of exploitation.
  6. Reports that state that software is out of date/vulnerable without a proof of concept.
  7. Host header issues without proof-of-concept demonstrating the vulnerability.
  8. HTTP codes/pages or other HTTP non- codes/pages.
  9. Fingerprinting/banner disclosure on common/public services.
  10. Disclosure of known public files or directories, (e.g. robots.txt).
  11. Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  12. Any CSRF
  13. Application Error Disclosure
  14. User enumeration
  15. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  16. Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  17. OPTIONS HTTP method enabled
  18. Lack of Security Speed bump when leaving the site.
  19. Weak Captcha
  20. Content injection issues.
  21. HTTPS Mixed Content Scripts
  22. Content Spoofing without embedded links/html
  23. Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  24. Reflected File Download (RFD).
  25. Best practices concerns.
  26. Highly speculative reports about theoretical damage. Be concrete.
  27. Missing HTTP security headers.
  28. Strict-Transport-Security
  29. X-Frame-Options
  30. X-XSS-Protection
  31. Host Header
  32. X-Content-Type-Options
  33. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  34. Content-Security-Policy-Report-Only
  35. Infrastructure vulnerabilities
  36. Certificates/TLS/SSL related issues
  37. DNS issues (i.e. mx records, SPF records, etc.)
  38. Server configuration issues (i.e., open ports, TLS, etc.)
  39. Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  40. Vulnerabilities involving active content such as web browser add-ons
  41. XSS issues that affect only outdated browsers (like Internet Explorer)
  42. Issues that require physical access to a victim’s computer.
  43. Physical or social engineering attempts (this includes phishing attacks against employees).
  44. Recently disclosed zero-day vulnerabilities.
  45. Microsites with little to no user data
  46. Most brute-forcing issues
  47. Denial of service
  48. Spamming

WALL OF FAME

With consent, we will list below everyone who successfully contributes to the program

K*******9

18 May 2020

J********D

23 March 2020

M********I

23 March 2020

RESPONSIBLE DISCLOSURE

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Ensuring that efforts will be done in good faith to not leak or destroy any BitOrb’s user data.
  • Not defrauding BitOrb’s users or BitOrb itself in the process of discovering these vulnerabilities.
  • To promote responsible disclosure, the BitOrb team promises not to bring legal action against researchers who point out a problem provided that the researchers do their best to follow the guidelines stated above.

SERVICE-LEVEL AGREEMENTS (SLA)

BitOrb, will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) – 3 business days
  • Time for bug classification (from report submit) – 5 business days
  • Time to bounty (from bug classification) – 10 business days

 

We’ll keep you informed about our progress throughout the process via our customer service portal.

HOW DO YOU START?

Step 1) Visit https://support.bitorb.com/

Step 2) Click on “Create Case”

Step 3) Send us an e-mail with the subject line: Bounty Program

If your bugs/suggestions are implemented, you will be rewarded up to USD 4,000. 

Important! When reporting a bug, you must provide examples of the vulnerability. Without this, we reserve the right to reject the bug as unverifiable. BitOrb will determine, at its discretion, whether a vulnerability is eligible for a reward and the amount of the award

Other Promotions that you might like

orbyt token pop quiz giveaway!

1,000 ORBYT Tokens up for grabs! 

Stand a chance to win by simply answering everything about Profit Share at the      ORBYT Token Pop Quiz: Profit Share* 

orbyt token pop quiz giveaway!

1,000 ORBYT Tokens up for grabs! 

Stand a chance to win by simply answering everything about Profit Share* 

  • This field is for validation purposes and should be left unchanged.

Add Your Heading Text Here