Bug Bounty Program

Introduction


Here at Bitazza, we value the importance of security researchers’ efforts in helping to ensure the safety of our environment. Our Bug Bounty Program is in line with our mission and vision of being one of the most trusted platforms in the digital currency space. The Bug Bounty Program scope covers all software vulnerabilities in Bitazza’s services.


Responsible Disclosure


If you are able to identify a security vulnerability, we ask that all researchers make every effort to not leak data or damage the integrity of Bitazza’s systems and report the issue to us privately. This means to:

  • Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere
  • Provide us with details (code, endpoints, etc.) of the vulnerability so we can find and fix it
  • Do not leak, tamper, or destroy any Bitazza data
  • Do not defraud Bitazza users or Bitazza itself (by making or enabling fraudulent transactions)
  • Do not create a large number of user accounts or fake data records


A valid report must, therefore, clearly explain and demonstrate the software vulnerability that is harmful to Bitazza or Bitazza’s customers. A report must be valid and in accordance with the terms of the program to be eligible for the bounty. Bitazza will, in its sole discretion, determine whether a report qualifies for a reward and the amount of the reward. A valid report must include clear step-by-step instructions to replicate the vulnerability.


Bitazza rewards bounties based on the severity of the vulnerability. The severity of the vulnerability can be categorized as such:


  • Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.
  • Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impacting the accuracy and performance of a system.
  • Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.
  • Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
  • Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Bitazza or Bitazza customers.
  • Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.

The determination of rewards will be based on our assessment of the impact and severity to our environment. While classifications such as OWASP may be used for reference, the final classification will depend on various factors including the severity, exploitability, and impact of the issue. Reports will be categorized into one of four reward tiers accordingly.

  • Critical       - 100,000 THB
  • High          -  10,000-50,000 THB
  • Medium    -  3,000-5,000 THB
  • Low           -  300-1,000 THB

*Rewards are awarded in FDM (Freedom) at the current market rate.



Scope


Vulnerabilities that do not fall into Bitazza’s bounty program are:

  • Social engineering
  • Physical security
  • Non-security-impacting UX issues
  • Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it via email.
  • Vulnerabilities or weaknesses in third-party applications that integrate with Bitazza
  • Ability to abuse existing banking functions such as ACH or credit card chargebacks
  • Physical attacks against Bitazza employees, offices, or data centers
  • Social engineering of Bitazza employees or users (e.g. phishing)
  • Denial of service (SYN floods, Slowloris attacks, etc.)
  • Vulnerabilities in third-party integrations with the Bitazza API
  • Vulnerabilities that are strictly client-side
  • Vulnerabilities that require physical access, rooted/jailbroken devices, or debug access to a user’s device
  • Issues in our blog (https://content.bitazza.com) and social media accounts (Facebook, Twitter, etc.)
  • Issues in our support platform
  • Logout CSRF
  • User existence / user enumeration
  • Text-only injection in error pages
  • Unconfirmed reports from automated vulnerability scanners
  • Server and software versions in HTTP response headers
  • Lack of password complexity restrictions


Should you feel that a particular vulnerability not mentioned here should be in scope, please kindly proceed with submitting the report along with an explanation.

Bitazza reserves the right to modify or cancel the Bug Bounty Program at any time.




2 คน ชอบสิ่งนี้