Responsible Disclosure
Last updated: 08-03-2019
Even though we design our systems from a security first perspective, and use third party code reviews to review our systems for vulnerabilities, it is always possible we missed something. If you discover a bug or potential security risk, please let us know! You can reach us at security@bitvavo.com. The following guidelines apply.
Scope
Our responsible disclosure program covers all our products and services under our direct control. Some of the websites that are reachable under Bitvavo domains are not under our direct control. These are not eligible for rewards:
Examples of issues that are eligible for rewards:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- Broken Access Control
- Cross-Site Scripting (XSS)
- Insecure Deserialization
Examples of issues that are ineligible for rewards:
- Issues that are not reproducible
- Issues related to social engineering
- Issues related to physical security
- Issues already known to us
- Issues that reveal used software
- Issues with no (real) security impact
- (D)DOS attacks
- Password policies
Reward
Rewards are paid in bitcoin or euro. The minimum reward for bugs is 100 EUR. For more serious issues, the bounty is (significantly) higher. These bounties are at our discretion.
How to Report an Issue
Please send an e-mail to security@bitvavo.com with a proof of concept explaining the issue(s) you found.