Bug bounty program
SpectroCoin is determined to ensure secure environment for its users. Although our IT specialists are doing their best to find every possible vulnerability on our platform, there is always a slight possibility that a few of them could have been overlooked. Thus, we decided to introduce a bug bounty program. Every SpectroCoin user can take part in the program and earn rewards by reporting the bugs they find in our system.
SpectroCoin has not set a maximum reward for the vulnerabilities reported — higher rewards may be allocated depending on the severity of a reported bug. We distribute the bounties in accordance with the following guidelines, however, the determination of the final amount remains at our discretion. The rewards for eligible bugs are paid in Bitcoin or Ether.
The reward may be increased based on:
- Quality of the description. Higher rewards may be paid for clear, well-written bug bounty reports.
- Quality of the proof of concept. Higher rewards may be paid if testing code, scripts and detailed instructions are included.
- Quality of the fix, if included. Higher rewards may be paid if suggestions on fixing the issue are provided.
|Critical||$4,000 - $15,000|
|High||$1,000 - $4,000|
|Medium||$200 - $1,000|
|Low||up to $200|
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward the first reporter only.
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country subject to international sanctions including but not limited to EC, FATF, US, UN.)
In any case SpectroCoin has the discretion to determine a reported vulnerability as insignificant, including its eligibility for the reward. By submitting a bug, you agree to follow the rules above.
How to report a bug
Bug report should contain a detailed step-by-step proof of concept that
would allow us to reproduce and evaluate the issue. For example, a
web-related report should contain at least:
- HTTP requests/responses together with affected parameters
- Screenshots or videos (if necessary)
- Description of the browser (type), OS, device and/or app version
- Description of the perceived impact of the vulnerability
- Suggestions on how to solve the issue (optional)
- Do not publicly share any files and/or details related to the vulnerability. This includes uploads to any publicly accessible websites (i.e. YouTube, Imgur, Pastebin, etc.).
- Encrypt your message and any attachments by using our PGP Public Key (available below).
- Include your BTC/ETH address for payment.
- Send your vulnerability reports to [email protected].
If our IT Security team cannot reproduce and verify the issue, the bounty will not be allocated.
All services provided by SpectroCoin are eligible for our bug bounty program, including the iOS and Android SpectroCoin apps, SpectroCoin Wallet, API, Merchant Tools, Cards and Exchange. In general, vulnerabilities that have the potential for financial loss or data breach are considered of sufficient severity, including but not necessarily:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Injection
- Remote Code Execution
- Privilege Escalation
- Authentication Bypass
- Leakage of Sensitive Data
Ineligibility (Out of Scope)
In general, the following vulnerabilities do not meet the severity threshold:
- Lack of DNSSEC
- Host header injection without a specific and demonstrable impact
- Flash based exploits
- CSRF on forms that require no authentication or on non sensitive actions
- Clickjacking on pages with no sensitive actions
- Vulnerabilities that require Man-in-the-middle attack (MITM), or physical access to a user’s web browser, email account, smartphone and issues on rooted/jailbroken devices
Responsible disclosure includes but is not limited to:
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Non-violation of the privacy of other users, destroying any data or disrupting our services, etc. (acting in good faith).
- Not defrauding SpectroCoin users (do not interact with an individual account which includes modifying or accessing data from the account) or SpectroCoin itself in the process of discovery.
- For exploits that need account access you must use your own account.
- If you inadvertently access private data, we ask that you delete all related information, including but not limited to access codes, private data, etc., after notifying us.
- If in the case of a bug you were able to access and/or move funds from SpectroCoin, you commit to returning the whole amount to SpectroCoin.