Responsible Disclosure

The responsible disclosure protocol describes what consists a potential security risk and how to report it.

Responsible Disclosure

Even though we design our systems from a security first perspective, and use third party code reviews to review our systems for vulnerabilities, it is always possible we missed something. If you discover a bug or potential security risk, please let us know! You can reach us at [email protected]. The following guidelines apply.

Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts you own or with explicit permission of the account holder.

Scope

Our responsible disclosure program covers all our products and services under our direct control. Some of the websites that are reachable under Bitvavo domains are not under our direct control. These are not eligible for rewards:

Examples of issues that are eligible for rewards:

VulnerabilitySeverity Range
Remote Code ExecutionCritical
SQL InjectionMedium - High
XXEMedium - High
XSSLow - High
Server-Side Request ForgeryHigh - Critical
Authentication/Authorization Bypass (Broken Access Control)Low - Critical
Privilege EscalationLow - Critical
Security MisconfigurationLow - Medium

Vulnerabilities not in the above list will be evaluated case by case.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  1. Brute force exploits.
  2. Clickjacking of any kind. It is improperly configured in our test site, but our main domain has a X-Frame-Options header set.
  3. Missing security cookie attributes (secure, httponly, and samesite).
  4. Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
  5. Attacks requiring MITM or physical access to a user's device.
  6. Previously known vulnerable libraries without a working Proof of Concept.
  7. Missing best practices in SSL/TLS configuration.
  8. Any activity that could lead to the disruption of our service (DoS).
  9. Absence of rate limiting.
  10. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  11. Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.
  12. User enumeration of any kind (email ownership and timing attack).
  13. Improper error handling unless proved in production environment.
  14. Sender Policy Framework(SPF) or DomainKeys Identified Mail(DKIM) related findings.
  15. Open redirection at /redirect endpoint with redirect parameter and at /apps/affiliate/v1/generate-url endpoint with merchant_fallback_url parameter.
  16. (mobile) Local access to user data when operating a rooted mobile device.
  17. (mobile) Attacks that require physical access to or modification of the mobile device are not in scope.

Vulnerability guidelines

Critical

Severity level includes but is not limited to:

  1. Vulnerabilities that can compromise the confidentiality, integrity, or availability of production and corporate resources and/or data with limited exploitation difficulty and/or attacker skill.
  2. Vulnerabilities that could be easily exploited by a remote or unauthenticated attacker and lead to system compromise and/or exposure of highly sensitive or customer data of any kind without requiring user interaction.

High

Severity level includes but is not limited to:

  1. Vulnerabilities that can compromise the confidentiality, integrity, or availability of production and corporate resources and data.
  2. Vulnerabilities that could be easily exploited by an internal and/or external, authenticated/unauthenticated attacker and lead to system compromise and/or exposure of highly sensitive or customer data without requiring user interaction.
  3. Vulnerabilities that allow local users to gain increased privileges.
  4. Vulnerabilities that allow unauthenticated remote users to view sensitive information.

Medium

Severity level includes but is not limited to:

  1. Vulnerabilities that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances.
  2. Vulnerabilities that could have had a critical or high impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.

Low

Severity level includes but is not limited to:

  1. Vulnerabilities that may be more difficult to exploit but could lead to minimal compromise of the confidentiality, integrity, or availability of resources under unlikely circumstances.
  2. These types of vulnerabilities require unlikely circumstances to be able to be exploited, or where a successful exploit would have minimal consequences.

Reward

Rewards are paid in bitcoin or euro. The minimum reward for bugs is 100 EUR. For more serious issues, the bounty is (significantly) higher. These bounties are at our discretion.

How to Report an Issue

Please send an e-mail to [email protected] with a proof of concept explaining the issue(s) you found.