CryptFolio®

Bug Bounty Programme

At CryptFolio, we are committed to providing a safe and secure platform for our users. We constantly improve our services and carry out security updates to make sure your private information is safe. In order to achieve the utmost security, we are interested in receiving any information about vulnerabilities or bugs in our software.

If you have found a bug or vulnerability in our software systems or platform which puts either the availability of our systems or the data of our users at risk, we would like to know about it, and we are willing to provide a bounty reward.

CryptFolio will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the reward. If we deem a vulnerability is eligible for a reward, we can provide payment through Bitcoin, Litecoin, or any other cryptocurrency.

Responsible Disclosure

In order to be eligible for a bounty you must comply with Responsible Disclosure. Responsible Disclosure includes:

  1. Providing CryptFolio a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
  2. Making a good faith effort to preserve the confidentiality and integrity of any CryptFolio customer data.
  3. Not defrauding CryptFolio customers or CryptFolio itself in the process of participating in the Bug Bounty Program.
  4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from CryptFolio.
  5. Reporting vulnerabilities with no conditions, demands, or ransom threats.

Not satisfying these Responsible Disclosure requirements will immediately and permanently exclude you from our bug bounty programme.

Exceptions

The following types of vulnerabilities will not qualify for a reward:

  • Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari)
  • Bugs related to browser extensions
  • Bugs requiring exceedingly unlikely user interaction
  • Insecure cookie settings for non-sensitive cookies
  • Disclosure of public information and information that does not present significant risk
  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible
  • Bugs in content/services that are not owned/operated by CryptFolio
  • Vulnerabilities that CryptFolio determines to be an accepted risk
  • Scripting or other automation and brute forcing of intended functionality

In general, the following would not be considered significant risk:

  • Lack of password length restrictions
  • Merely showing that a page can be IFRAMEd without finding a link on the page to be click-jacked
  • Self-XSS
  • Denial of service
  • Spamming
  • Vulnerabilities in third party applications which make use of the CryptFolio API
  • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device
  • Logout CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Social engineering attacks against CryptFolio employees or contractors
  • Text-only injection in error pages
  • Automatic hyperlink construction by 3rd party email providers
  • Using email mutations (+, ., etc) to create multiple accounts for a single email

Scope

At all times, you must adhere to our terms of use.

The following types of third-party vulnerabilities are considered out-of-scope. If you identify a vulnerability in any of these external applications, then we recommend that you get in contact with the third parties directly:

  • Sites not operated by CryptFolio (e.g. support.cryptfolio.com, status.cryptfolio.com, and others)
  • Vulnerabilities already reported in a third party component (e.g. those with CVE identifiers)
  • Vulnerabilities in deprecated open source libraries
  • Vulnerabilities or weaknesses in third party applications that integrate with CryptFolio
  • Vulnerabilities exposed through denial of service, spamming, or social engineering attacks are not eligible and we will permanently ban you from our bounty programme

Submit a Vulnerability

As a reminder, you must agree to our terms of use to access the platform and to participate in our bug bounty programme. We will determine in our sole discretion whether a vulnerability is eligible for an award, and the amount for an award.

Submit a Vulnerability

Last updated: August 2018

About us
Security policies
Privacy policy