Bug bounty program

Report bug

SpectroCoin is determined to ensure secure environment for its users. Although our IT specialists are doing their best to find every possible vulnerability on our platform, there is always a slight possibility that a few of them could have been overlooked. Thus, we decided to introduce a bug bounty program. Every SpectroCoin user can take part in the program and earn rewards by reporting the bugs they find in our system.

Rewards

SpectroCoin has not set a maximum reward for the vulnerabilities reported — higher rewards may be allocated depending on the severity of a reported bug. We distribute the bounties in accordance with the following guidelines, however, the determination of the final amount remains at our discretion. The rewards for eligible bugs are paid in Bitcoin or Ether.

The reward may be increased based on:

Quality of the description. Higher rewards may be paid for clear, well-written bug bounty reports.
Quality of the proof of concept. Higher rewards may be paid if testing code, scripts and detailed instructions are included.
Quality of the fix, if included. Higher rewards may be paid if suggestions on fixing the issue are provided.

Bug	Reward
Critical	$4,000 - $15,000
High	$1,000 - $4,000
Medium	$200 - $1,000
Low	up to $200

Only unknown and previously unreported vulnerabilities are considered for rewards.
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward the first reporter only.
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country subject to international sanctions including but not limited to EC, FATF, US, UN.)
In any case SpectroCoin has the discretion to determine a reported vulnerability as insignificant, including its eligibility for the reward. By submitting a bug, you agree to follow the rules above.

How to report a bug

Bug report should contain a detailed step-by-step proof of concept that would allow us to reproduce and evaluate the issue. For example, a web-related report should contain at least:
- HTTP requests/responses together with affected parameters
- Screenshots or videos (if necessary)
- Description of the browser (type), OS, device and/or app version
- Description of the perceived impact of the vulnerability
- Suggestions on how to solve the issue (optional)
Do not publicly share any files and/or details related to the vulnerability. This includes uploads to any publicly accessible websites (i.e. YouTube, Imgur, Pastebin, etc.).
Encrypt your message and any attachments by using our PGP Public Key (available below).
Include your BTC/ETH address for payment.
Send your vulnerability reports to [email protected].

If our IT Security team cannot reproduce and verify the issue, the bounty will not be allocated.

PGP Public Key:Copy key:

mQINBFykZnkBEADU8WWyLBa6zHwd4fvoJNYe8wZxqTGqITN11HPJuPzoSQ1UPajGJMEOtGr9n6Emj5d/VIPRAHa08+RzFhrCsUDobqo2zK0xPHhVGq0mNojras6X6Y6oJM68gO7GqqCLNxPGRvWs3e9eRnB2uuP68d+t77YrHnogukRakCVtY6cHj4cKkZimblmP/UCxRCc4eUK88DUohwzdzT93bZg6pVilyC9b25TCYAoE1heyH5wB5SpHT5BBE1bzncfOZmcBNoVAKXKVqhvufF7jhvNFW2FQQf3EbdNlofWFVcyO8X9XTeZkAOoSRu4Kzb15RZw+VKwzNOBL9zHljZaI13uoPicA6BK2svpB9hhcFeTtGelk07b3l3mS/3eMg+aSKOwfdnhzy3UA21CD3vcZomjxZ61k42s7Q7t1xcJ04HiH4a6wlDedow+XDQwC3nMpbRV0+w9pk8E63zpxtejUPke0W6C0KugFx86C4VmWH6sgOymmBVjD/Zz089Tga9vUi1Dylv8MmkiwW+y8hhPAwWRayFLV+X7Fn7/Z1LSZsIQs0DnboDUCPkhPcE6/yTEan3dpMR/rMAT9jYLbib71NSlAjBFHdhlTwDE3Gz9H8fkcVuWnzW4Mn52CavN/Bmx5QZlXUGnid7NhIVWMvJ3EbcEUseeQZRXDvnwizrR8Q3nwsp4lJwARAQABtDV0ZWNobmljYWxAc3BlY3Ryb2NvaW4uY29tIDx0ZWNobmljYWxAc3BlY3Ryb2NvaW4uY29tPokCVAQTAQgAPhYhBPEtltWxbCYNDcJ9NVxoqXxc8LDcBQJcpGZ5AhsjBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEFxoqXxc8LDcGhYQAK/aPXKCzd4qJDkS+rAVWdRmZVBM1P2KxSqZmFaIhidkBOmUpSRtK1XFjhUykQYe2a1W5k6aCoN7W1JBkh6p2m1hqC/MlsW5oCBbKMyeUCEX1ac1wboENOJRZMmF9DqYEn544JengFxtlakfQ0/vZvfhzHoT2fcFBjQgHjKxeWIpdAmplp3i2vkf3eLknInNPNvyaPgPZNIHlxP7Qjd4jDFBvJ8eHZu+mDD+r6Xhk7WWvjAfb7CnCX6xxyvByGuoxYWnZOPRlx4SOIXtCmGNS9WOyPcuq8Z18cIiyBuVCLj4ukje3lXZyuNFVmbum4lngedsMtOJrzX9IiMSc9mH/Sph2ZtjNpWRIikjtN06iWetm/7rwstyxEFARHDPG3PO/WyL8cFWRum/9dmiAy0TZxo2drlldYtuG5bCW9uUG/vPwwapGodRGQEBmWDuvlVMDKq1QcwzQTifvXByW/KeRz252GR9Sx5+ERPLygA5/4XqriEGLXl5ixo2rME5hn1Q5ttpjEz32do3VZxp/4TkuJqhCB8Zt7o5J8Fdx5pClnArbfaQe99PY6UVONH61JylP4iWu7Dy14yJA/ENsXdo3u6giRatqpZ30pioHzoSsrFQjPlT17ZDp6kGHb2v5e/9n+zBwGqYMi7x1qifxMeYgv4fso6P0O4dDps/0RTsurHCuQINBFykZnkBEACr/DJs2rhAJOUlMiZzmuI75QhUYtKNr32PLbxXnI/GzR9eViO7yaEb/6mCOlHPkt3tvIEQHsqvIO7DG2NAbqZaUnYphN4+EgjFL7IXAV3IeLs05fIsymy9R8Td5wauaJ39P0JmGfwQq27S0CAIi9ALdXFb6ugMcXGfU8RlcO+e5x+qTaLO7ahuU1AOoHXzFN0nzt0MTT28WL/dUPBuHaRIXvmyZUnB/qwKCQn+YWou0fJCsAuRfF3Ga+Iw1s4hz5F6p35IPN93e1mGdRiQ103iT4JgOgrMg7qt/zLbKrSpBOaJUp61ztWsb2wyBY7R4MFfCS9oc5QEeUqQpqWsIQff3tozNl+aQ55xw80vvIngB5IEKE5IMxCUuCeVcz8TwhlXlMTpLiueC7ZATryYVgl/l4ZlUQZ41xqoLo1KeSNzUy6rBtjJTfofJi4DmM6BmIxIArrYTnfuQcFKuiGcgU3ulQf//REfibOat5vve7AMiu6jXM61flD+FHTZvjaOWlFzTsObL2ArJQB+vDo+7cBItktQcpom1XUaBkz1y30fqWjRX1WXp0EcxmWiEXZ4R0UHVzYIJI9iVA4wI2+TcvyycGrv5Wd07orLNUYDl8OOpyUHDg8svhWkvZjc7SxPiz1+OixA1y3yRJJ3Q6lIPqPARDasdWPRnk5qTDb7mpikxQARAQABiQI8BBgBCAAmFiEE8S2W1bFsJg0Nwn01XGipfFzwsNwFAlykZnkCGwwFCQPCZwAACgkQXGipfFzwsNzpfxAAqlrBdVtPfsEr3kK6zej1hl0qxR6vJHohKvyLAZDSU5LtkvLK12yMiyYLF4bKaClHOvq1lSaHLdlIXKzr7RJWZCxikoTPoUZgJJVFGJ5D8xC51WPlNimSzeVB0HPK4yrQNWbC8GziOEeEcTSnlFGSsRxjqh+0pdupCnKKUEmhYJ8lsrJ9eu2Cas3EgOX6jwFRN2VnrZQoo40NJYZ9jrzSjssSzND/wGiWmnYVAP8dCFVrvsjaFaI5FTtb697yhkmZal05UwqQh33Sq0V6oDsVAvrhclJoaxzIFXlg3eHEwFr9gK8pQy4DBdsrx5kd85nxEafLZQyKBuV+A4foM0LlOlAJT/U3XaOurTMxub189uHvYNofylrXqy2RylwfguYt+s/B20MWVq1dNdgo41XYsRZoFpU9tOBhoDe6djbKwpMXVnwNc4J4aDy/ALEG0CIJaDE8o8PTWfsHnCiDk/Yc+o4on4+eK/6KeGdtYrxtaKod0IJrQppQxZ+9ZLdzIGaorgR5/EOc48sqTYm7GzgnD4JPwASaSUuPSbBKPq8InMbwUfeoGKDWl9wrzi/0uJg8iW1VPSk6wwX7kvqS+8hngVNsp6Y94iTqk60nJk/f+NmmKhv2YOMH7jdK9qTuW4GCcndxWcwQSZnUEKzr6rV8wR6Dm+Z3iNSoURKsqSgemNY==SfEx

Report bug

Eligibility (Scope)

All services provided by SpectroCoin are eligible for our bug bounty program, including the iOS and Android SpectroCoin apps, SpectroCoin Wallet, API, Merchant Tools, Cards and Exchange. In general, vulnerabilities that have the potential for financial loss or data breach are considered of sufficient severity, including but not necessarily:

Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Code Injection
Remote Code Execution
Privilege Escalation
Authentication Bypass
Clickjacking
Leakage of Sensitive Data

Ineligibility (Out of Scope)

In general, the following vulnerabilities do not meet the severity threshold:

Lack of DNSSEC
Host header injection without a specific and demonstrable impact
Flash based exploits
CSRF on forms that require no authentication or on non sensitive actions
Clickjacking on pages with no sensitive actions
Vulnerabilities that require Man-in-the-middle attack (MITM), or physical access to a user’s web browser, email account, smartphone and issues on rooted/jailbroken devices

Responsible disclosure

Responsible disclosure includes but is not limited to:

Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
Non-violation of the privacy of other users, destroying any data or disrupting our services, etc. (acting in good faith).
Not defrauding SpectroCoin users (do not interact with an individual account which includes modifying or accessing data from the account) or SpectroCoin itself in the process of discovery.
For exploits that need account access you must use your own account.
If you inadvertently access private data, we ask that you delete all related information, including but not limited to access codes, private data, etc., after notifying us.
If in the case of a bug you were able to access and/or move funds from SpectroCoin, you commit to returning the whole amount to SpectroCoin.

* To encourage responsible disclosure, we are not going to start legal action against the researchers who point out a problem provided they do their best to follow the guidelines above.

Help us keep SpectroCoin safe

Report bug