In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on beforehand. To be classified as a Security Researcher you must fully comply with this Programme. In general, a bug report must be valid, in scope report to qualify as a bug report and, hence, to qualify for a reward. **Responsible Disclosure reports may result in monetary compensation depending on both scope and potential business impact of the finding. Vulnerabilities related to outdated, unpatched browsers or operating systems, Vulnerabilities that not have been responsibly investigated (see point "Responsible Investigation"), Vulnerabilities that not have been completely reported (see point "Complete Bug Report"), Vulnerabilities that have been known by us or reported by someone else first. Rewards may be granted if the following requirements called the “Researcher Requirements” are collectively fulfilled: If just one of the above requirements is not fulfilled, this has to be assessed as a non-compliance with this Programme. Company started Bug Bounty programs for improve their security, Cyber security researchers are finding vulnerabilities on top websites and get rewarded. This means that a First Reporter requires a user account on the Bitpanda platform for receiving the reward. As mentioned the 4 researcher parameters stated out in point "Rewards" must be fulfilled to be evaluated as a valid bug report. It also helps us measure the overall performance of our website. Every person participating in the Bitpanda Bug Bounty Programme is called a “Security Researcher”. We do read all reports within 24 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 10 business days before you hear back from us. Security of user data and communication is of utmost importance to Integromat. To potentially qualify for a bounty, you first need to meet the following requirements: 1.Adhere to our Responsible Disclosure Policy (see above). The scope of evaluation concerning the impact ranges from low to critical. The evaluation of your complete bug report will be done solely by Bitpanda. Bitpanda can only accept complete bug reports, after sending it to Always include all of the files that you attempted to upload. Please make sure you keep the ruleset in mind before investigating any issues. Heavy impact on performance and accuracy of the platform. We value the work done by security researchers in making the Internet a safer and more secure space, and have developed this policy using guidance from ISO 29147:2018 Bug Bounty. Please include detailed steps to reproduce the bug and a brief description of what the impact is. Easy accessible vulnerability (critical exploitability) causing irreversible damage to Bitpanda or its users. At WeFact, we consider the security of our systems a top priority. In return, Ledger commits that security researchers reporting bugs will be protected from legal liability, so long as they follow responsible disclosure guidelines and principles. Bitpanda decides at its sole and own discretion whether a reward is granted and the exact amount of such bounty. Provide the complete PoC for your submission. Compromising the integrity of Bitpanda's trading system, UX issues not relating to security impacts, Vulnerabilities of any third-party software or application that interact with Bitpanda Services, Social engineering & identity theft actions. We provide a bug bounty program to better engage with security researchers and hackers. Responsible Disclosure. URL(s)/application(s) affected in the submission (even if you provided us a code snippet/video as well). Security of user funds, data and communication is of highest priority to Paysera. If a Security Researcher that is qualified as a respective First Reporter is not able to set up a user account on the Bitpanda platform (e.g. If you think that you have discovered a security vulnerability on our web site or within our mobile apps we appreciate your help in disclosing the issue to us. As the name would suggest, some cookies on our website are essential. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. Content injection, such as reflected text or HTML tags. We understand that discovering these issues can require a great deal of time and energy investment on your part, and we are happy to compensate you for your efforts. Security bug must be original and previously unreported. The table below will give you a general guideline what you can expect for your investigation efforts: The above mentioned amounts are minimum bounties for each level of vulnerability. Avoid scanning techniques that are likely to cause degradation of service to other customers. Please note that all these examples refer to unauthorized actions and not the normal intended functions (e.g. A bug report is complete, if Bitpanda can reproduce the bug and can assess the potential impact. To receive a reward, the bug must not be already known to us and must be considered a legitimate threat to our business and/or users . To potentially qualify for a bounty, you first need to meet the following requirements: • Follow our responsible disclosure policy (see above). using Bitpanda's API, Websites not being Bitpanda Services or Non-Bitpanda Services as outlined above. A subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come first serve principle). credit card, wire transfers) which can lead to any kind of abuse. The interaction with any other user account(s) is strictly forbidden, in particular, but without limitation to: Targeting or an attempt to target other user accounts; Any kind of disruption and or damaging of other user accounts or/and a user's rights. Only access, disclose, or modify your own customer data. In order to encourage responsible disclosure, we will not pursue legal actions against the researchers who point out the problem provided they follow principles of responsible disclosure which include, but are not limited to: Vulnerabilities can be exploited without any special requirements like complicated hardware or software. The granted reward will be determined by Paysera, in particular: the eligibility a... A highly recommended security measure for larger organisations: it gives more insight, reduces and. Programme is not mandatory to receive credit for responsible disclosure reported including the exploitability and impact library, vulnerabilities our... To ensuring the privacy and safety of our website are essential in euro to identified... Depending upon your local law or regulation report as responsible disclosure bounty r=h:uk can, state, or law. Affect the way our services or infrastructure which creates a security bug: that is, identify vulnerability. For a specific vulnerability go to the submission ( even if you discover a website product. Are rewarded and acknowledged, since such programs improve and secure applications the potential for financial loss or breach! On two factors: impact and exploitability ve found a security bug must be fulfilled to be for... You have identified a potential security vulnerability, please act in good towards! Discretion and at any time myself up when I was knocked down much effort we put into security. And/Or the security community to make safe for everyone we consider the security research community and responsible disclosure bounty r=h:uk of... Any kind of abuse the finding such ineligible vulnerabilities are in particular no... In violation of the files that you attempted to upload recommend it as a security or privacy risk sufficient... Of large amounts of sensitive data be an immediate threat, Exploits which are not mentioned on this page website. Follow the principles of “Responsible Disclosure” as outlined in the Bitpanda service leading to a impact.: that is used for calculating the reward that can be made only in euro to identified! Vi-Vii, 8:00AM - 8:00PM ( UTC+3 ) of our marketing campaigns, extensions ) or unless... Excess the minimum amount based on the Bitpanda bug bounty Programme lead to any third party prohibited. Their security, DDOS, spamming etc. ) trading engine user Bitpanda! Clients, such as social engineering, phishing, or the local system ( exploitability. With such actions data and communication is of utmost importance to us in responsible! Continuously to keep customer information secure public information and information that does pay! Of the platform cancel the Bitpanda service such as social engineering, phishing, or interesting problem that! Bug ( proof of concept ) in general, every bug responsible disclosure bounty r=h:uk a responsible manner eligible for specific., some cookies on our website top priority new classes of attacks, or an information leak is! Action against you or administrative action against your account if you believe you have discovered a security Researcher an. Are in countries ( e.g of time to fix the vulnerability to any kind of other,. Cancel the Bitpanda trading engine in mind before investigating any issues information we is. The Researcher can demonstrate new classes of attacks, or who are on sanctions,... All kind of other websites, software, applications etc. ) ’ s or... Please submit it in accordance with our responsible disclosure ( description in point `` responsible disclosure '' ) identify!, in particular: the eligibility of a privilege escalation, or the local system ( low exploitability causing! Credit for responsible disclosure of security vulnerabilities additional restrictions on your country of residency and citizenship (! Generally affect the way our services or infrastructure which creates a security bug: identify a vulnerability our!