At CryptFolio, we are committed to providing a safe and secure platform for our users. We constantly improve our services and carry out security updates to make sure your private information is safe. In order to achieve the utmost security, we are interested in receiving any information about vulnerabilities or bugs in our software.
If you have found a bug or vulnerability in our software systems or platform which puts either the availability of our systems or the data of our users at risk, we would like to know about it, and we are willing to provide a bounty reward.
CryptFolio will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the reward. If we deem a vulnerability is eligible for a reward, we can provide payment through Bitcoin, Litecoin, or any other cryptocurrency.
In order to be eligible for a bounty you must comply with Responsible Disclosure. Responsible Disclosure includes:
- Providing CryptFolio a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
- Making a good faith effort to preserve the confidentiality and integrity of any CryptFolio customer data.
- Not defrauding CryptFolio customers or CryptFolio itself in the process of participating in the Bug Bounty Program.
- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from CryptFolio.
- Reporting vulnerabilities with no conditions, demands, or ransom threats.
Not satisfying these Responsible Disclosure requirements will immediately and permanently exclude you from our bug bounty programme.
The following types of vulnerabilities will not qualify for a reward:
- Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari)
- Bugs related to browser extensions
- Bugs requiring exceedingly unlikely user interaction
- Insecure cookie settings for non-sensitive cookies
- Disclosure of public information and information that does not present significant risk
- Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible
- Bugs in content/services that are not owned/operated by CryptFolio
- Vulnerabilities that CryptFolio determines to be an accepted risk
- Scripting or other automation and brute forcing of intended functionality
In general, the following would not be considered significant risk:
- Lack of password length restrictions
- Merely showing that a page can be IFRAMEd without finding a link on the page to be click-jacked
- Denial of service
- Vulnerabilities in third party applications which make use of the CryptFolio API
- Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device
- Logout CSRF
- User existence/enumeration vulnerabilities
- Password complexity requirements
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Social engineering attacks against CryptFolio employees or contractors
- Text-only injection in error pages
- Automatic hyperlink construction by 3rd party email providers
- Using email mutations (+, ., etc) to create multiple accounts for a single email
The following types of third-party vulnerabilities are considered out-of-scope. If you identify a vulnerability in any of these external applications, then we recommend that you get in contact with the third parties directly:
- Sites not operated by CryptFolio (e.g. support.cryptfolio.com, status.cryptfolio.com, and others)
- Vulnerabilities already reported in a third party component (e.g. those with CVE identifiers)
- Vulnerabilities in deprecated open source libraries
- Vulnerabilities or weaknesses in third party applications that integrate with CryptFolio
- Vulnerabilities exposed through denial of service, spamming, or social engineering attacks are not eligible and we will permanently ban you from our bounty programme
Last updated: August 2018