Bitbns Bug Bounty Program

Summary

- If you spot any security issue, you will be eligible for a reward, provided you report it directly to us

- Reward will be based on the severity of the issue (at least ₹1000 assured)

- Send a description of the issue, along with details on how to reproduce it, to: secure@bitbns.com

Table of Contents

  1. Intro
  2. Guidelines
  3. Scope
    a. Qualifying vulnerabilities
    b. Non-Qualifying vulnerabilities
    c. Non-Qualifying vulnerabilities — Mobile Apps
  4. Communications from Bitbns
  5. Rewards
  6. Reporting format

Help us to secure Bitbns further!

Bitbns invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts in cryptocurrencies. Though we welcome reporting of non-security issues, please note that only genuine security issues are eligible for rewards and we may not be able to respond to non-security issues. Send detailed description at secure@bitbns.com

Guidelines

All researchers are expected to:

  1. Report their finding by writing to us directly at secure@bitbns.com without making any information public. We will confirm receipt within 72 working hours of submission.
  2. Keep the information about any vulnerability you've discovered confidential between Bitbns & yourself until we have resolved the problem.
  3. Based on the criticality level we might take 2 days to 2 weeks to fix the vulnerability.
  4. Disclosure of the vulnerability to public, social media or a third party will result in suspension from Bitbns's Bug Bounty and Secure Bitbns Reward Program.
  5. Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  6. Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
    - Working with you to understand and resolve the issue quickly
    - Suitably reward your efforts
    - Not pursue or support any legal action related to your research

Scope

Website: https://bitbns.com

Mobile Apps: (Android, IOS)

Out-of-Scope Properties: Any subdomain which is not connected to Bitbns.com, Android and iOS mobile Apps directly.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  1. Cross-site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. Server-Side Request Forgery (SSRF)
  4. SQL Injection
  5. Server-Side Remote Code Execution (RCE)
  6. XML External Entity Attacks (XXE)
  7. Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
  8. Exposed Administrative Panels that don't require login credentials
  9. Directory Traversal Issues
  10. Local File Disclosure (LFD) and Remote File Inclusion (RFI)
  11. Payments Manipulation
  12. Flaw in 3rd party integrations to make free orders from Bitbns merchants
  13. Server-side code execution bugs
Non-Qualifying Vulnerabilities
  1. Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
  2. Reports that state that software is out of date/vulnerable without a 'Proof of Concept'.
  3. Host header issues without an accompanying POC demonstrating vulnerability.
  4. XSS issues that affect only outdated browsers.
  5. Stack traces that disclose information.
  6. Clickjacking and issues only exploitable through clickjacking.
  7. CSV injection. Please see this article: https://goo.gl/bamS8l
  8. Best practices concerns.
  9. Highly speculative reports about theoretical damage. Be concrete.
  10. Self-XSS that can not be used to exploit other users.
  11. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  12. Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated.
  13. Denial of Service Attacks.
  14. Brute Force Attacks
  15. Reflected File Download (RFD).
  16. Physical or social engineering attempts (this includes phishing attacks against Bitbns employees).
  17. Content injection issues.
  18. Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  19. Missing autocomplete attributes.
  20. Missing cookie flags on non-security-sensitive cookies.
  21. Issues that require physical access to a victim's computer.
  22. Missing security headers that do not present an immediate security vulnerability.
  23. Fraud Issues.
  24. Recommendations about security enhancement.
  25. SSL/TLS scan reports (this means output from sites such as SSL Labs).
  26. Banner grabbing issues (figuring out what web server we use, etc.).
  27. Open ports without an accompanying POC demonstrating vulnerability./li>
  28. Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
  29. Entering the Bitbns offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
Non-Qualifying Vulnerabilities – Mobile Apps
  1. Shared links leaked through the system clipboard.
  2. Any URIs leaked because a malicious app has permission to view URIs opened
  3. Absence of certificate pinning
  4. Sensitive data in URLs/request bodies when protected by TLS
  5. User data stored unencrypted on external storage and private directory.
  6. Lack of obfuscation is out of scope
  7. auth "app secret" hard-coded/recoverable in apk
  8. Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
  9. Lack of binary protection control in android app
  10. Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  11. Path disclosure in the binary
  12. Snapshot/Pasteboard leakage
  13. Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)

Communication from Bitbns

We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclose it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.

Rewards

The monetary rewards for every valid security bug would be based on criticality of the issue and can only be credited to your Bitbns wallet in the form of cryptocurrencies . However, minimum monetary reward is 1000 Indian Rupees.

Reporting Format

If you believe you've found security vulnerability in one of our products or platforms, please send it to us by emailing at secure@bitbns.com. Please include the following details in your report:

  1. Description of the location and potential impact of the vulnerability
  2. A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us

Start Trading in an
Instant

Board the trading wagon now!