Here at Bitazza, we value the importance of security researchers’ efforts in helping to ensure the safety of our environment. Our Bug Bounty Program is in line with our mission and vision of being one of the most trusted platforms in the digital currency space. The Bug Bounty Program scope covers all software vulnerabilities in Bitazza’s services.
Responsible Disclosure
If you are able to identify a security vulnerability, we ask that all researchers make every effort to not leak data or damage the integrity of Bitazza’s systems and report the issue to us privately. This means to:
Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere
Provide us with details (code, endpoints, etc.) of the vulnerability so we can find and fix it
Do not leak, tamper, or destroy any Bitazza data
Do not defraud Bitazza users or Bitazza itself (by making or enabling fraudulent transactions)
Do not create a large number of user accounts or fake data records
A valid report must, therefore, clearly explain and demonstrate the software vulnerability that is harmful to Bitazza or Bitazza’s customers. A report must be valid and in accordance with the terms of the program to be eligible for the bounty. Bitazza will, in its sole discretion, determine whether a report qualifies for a reward and the amount of the reward. A valid report must include clear step-by-step instructions to replicate the vulnerability.
Bitazza rewards bounties based on the severity of the vulnerability. The severity of the vulnerability can be categorized as such:
Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.
Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impacting the accuracy and performance of a system.
Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.
Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Bitazza or Bitazza customers.
Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.
Based on the different levels of severity, exploitability, and impact; the report will be classified into one of the 4 reward tiers
Critical - 100,000 THB
High - 10,000-50,000 THB
Medium - 3,000-5,000 THB
Low - 300-1,000 THB
(Rewards are paid in BTZ at the current market rate)
Scope
Vulnerabilities that do not fall into Bitazza’s bounty program are:
Social engineering
Physical security
Non-security-impacting UX issues
Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it via email.
Vulnerabilities or weaknesses in third-party applications that integrate with Bitazza
Ability to abuse existing banking functions such as ACH or credit card chargebacks
Physical attacks against Bitazza employees, offices, or data centers
Social engineering of Bitazza employees or users (e.g. phishing)
Denial of service (SYN floods, Slowloris attacks, etc.)
Vulnerabilities in third-party integrations with the Bitazza API
Vulnerabilities that are strictly client-side
Vulnerabilities that require physical access, rooted/jailbroken devices, or debug access to a user’s device
Unconfirmed reports from automated vulnerability scanners
Server and software versions in HTTP response headers
Lack of password complexity restrictions
Should you feel that a particular vulnerability not mentioned here should be in scope, please kindly proceed with submitting the report along with an explanation.
Bitazza reserves the right to modify or cancel the Bug Bounty Program at any time.
Bitazza Support Manager
Introduction
Here at Bitazza, we value the importance of security researchers’ efforts in helping to ensure the safety of our environment. Our Bug Bounty Program is in line with our mission and vision of being one of the most trusted platforms in the digital currency space. The Bug Bounty Program scope covers all software vulnerabilities in Bitazza’s services.
Responsible Disclosure
If you are able to identify a security vulnerability, we ask that all researchers make every effort to not leak data or damage the integrity of Bitazza’s systems and report the issue to us privately. This means to:
A valid report must, therefore, clearly explain and demonstrate the software vulnerability that is harmful to Bitazza or Bitazza’s customers. A report must be valid and in accordance with the terms of the program to be eligible for the bounty. Bitazza will, in its sole discretion, determine whether a report qualifies for a reward and the amount of the reward. A valid report must include clear step-by-step instructions to replicate the vulnerability.
Bitazza rewards bounties based on the severity of the vulnerability. The severity of the vulnerability can be categorized as such:
Based on the different levels of severity, exploitability, and impact; the report will be classified into one of the 4 reward tiers
(Rewards are paid in BTZ at the current market rate)
Scope
Vulnerabilities that do not fall into Bitazza’s bounty program are:
Should you feel that a particular vulnerability not mentioned here should be in scope, please kindly proceed with submitting the report along with an explanation.
Bitazza reserves the right to modify or cancel the Bug Bounty Program at any time.
2 people like this