CoinPayments Vulnerability Bounty Program
CoinPayments Vulnerability Bounty Program
At CoinPayments, we are committed to providing a safe and secure payment platform. We constantly improve our services and carry out security updates to make sure your details are safe. In order to achieve the utmost security, we are interested in receiving any information about vulnerabilities or bugs. In return you'll be awarded. We are particularly interested in vulnerabilities in our payment flow.
Attack types and issues have been separated into reward groups as follows. Issues that are not (yet) partitioned in a reward group will be assessed and by us and rewarded accordingly.
Very low priority ($50+)
- Non-persistent XSS
- Mixed content
Low priority ($100+)
- Provisioning errors
- Information leaks (excluding user data)
- Low severity issues
Medium priority ($250+)
- Persistent XSS
- CSRF on sensitive forms
High priority ($500+)
- Customer data disclosure
- Authentication bypass
Critical priority ($1000+)
- SQL Injection
- Arbitrary code execution
- Remote file inclusion
- Privilege escalation
- Access to user wallets
- Only the first person to report a vulnerability will be awarded
- Reports have to follow our disclosure guidelines
- Full details have to be shared about the problems found
- Disruption of services, compromising/sharing of any user data or breaking the law is strictly forbidden
- Attacks that can result in harm to the reliability of our service are forbidden. Attacks that can result in data integrity issues are also forbidden. (D)DoS, spam attacks et cetera are strictly forbidden.
- Don't use automated tools to search for vulnerabilities. Your CoinPayments account can get suspended as a result.
- Attacks involving social engineering, phishing, et cetera of CoinPayments staff and users are strictly forbidden.
- Do not perform any attacks that are in violation of the law.
- A report shall have detailed steps to reproduce the issue, including links you visited, screenshots or screencasts where needed.
- A report shall include versions of software and all factors that played a role in the attack (browser, OS, et cetera.)
If we find above rules are not adhered to your report will not be eligible for a bounty
- Finders shall adhere to the rules
- Finders shall respect privacy and make effort not to access user data
- Don't publish issues or bugs without our consent. Wait at least 10 business days before publishing details about the report
- Don't do harm to our service or our users
What you can expect from us
- Our security team will address your reports and questions as quickly as possible
- We will not take any legal action if you play by the rules
- Timely pay-out of your bounty to a BTC address of your choice
- Issues that pertain to anything forbidden in the program rules
- Reports generated by automated tools
- Software issues that are made public
- Reports that do not include testing or context specific to CoinPayments
- Issues that require you to already have access to a victim's account, physical device, and/or registered email account.
- Denial of Service attacks
- Brute Force attacks
- Spam techniques (DKIM / SPF et cetera)
- Social Engineering issues
- Content injection/spoofing
- Path disclosure
- Version information disclosure
- Issues that we are already aware of
- Disclosure of trivial, non-sensitive public information
- Vulnerabilities in our official plugins that are specific to the shopping cart system, rather than our plugin
- Issues regarding spoofed e-mails
- HTTP Security Headers related issues without a proof of concept leveraging the issue
- Issues regarding SSL/TLS cipher suites without a proof of concept leveraging the issue
- Issues that can't be reproduced in the latest major browser versions (Edge, Firefox, Chrome, Safari)
- Issues leveraging the presence of browser extensions
To contact our security department simply e-mail security [at] coinpayments.net
The CoinPayments Mobile applications are not
part of this bug bounty program.
We reserve the right to adjust the program rules and conditions at any time without prior notification, to deny bounties on our discretion.