Responsible Disclosure

The responsible disclosure protocol describes what consists a potential security risk and how to report it.

Responsible Disclosure

Last updated: 07-June-2022

Even though we design our systems from a security first perspective, and use third party code reviews to review our systems for vulnerabilities, it is always possible we missed something. If you discover a bug or potential security risk, please let us know! You can reach us at security@bitvavo.com. The following guidelines apply.

Scope

Our responsible disclosure program covers all our products and services under our direct control. Some of the websites that are reachable under Bitvavo domains are not under our direct control. These are not eligible for rewards:

Examples of issues that are eligible for rewards:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. Broken Access Control
  5. Cross-Site Scripting (XSS)
  6. Insecure Deserialization

Examples of issues that are ineligible for rewards:

  1. Issues that are not reproducible
  2. Issues related to social engineering
  3. Issues related to physical security
  4. Issues already known to us
  5. Issues that reveal used software
  6. Issues with no (real) security impact
  7. (D)DOS attacks
  8. Password policies

Reward

Rewards are paid in bitcoin or euro. The minimum reward for bugs is 100 EUR. For more serious issues, the bounty is (significantly) higher. These bounties are at our discretion.

How to Report an Issue

Please send an e-mail to security@bitvavo.com with a proof of concept explaining the issue(s) you found.