QTUM Flash Sale : Get ready for the first ever QTUM Flash Sale on Bitbns on 20th November, 12 PM
Read More
About UsTrade Now
How to Trade in Bitbns
×
NOTIFICATIONS:
×
  • INR Update: We have incorporated a new way of depositing and withdrawing INR yippie
    Check it out
  • TRX Mainnet Update: After an exclusive deal with TRX team, ERC20 TRX deposits are now enabled, while withdrawals remain paused for the mainnet swap.
  • • We do support Pundi X airdrops.
    Read instructions here
  • • Looks like there's some positive news from the Govt. on cryptocurrencies, putting away reasons to panic sell.
    Read More
  • Token Swap: We do support TRX and EOS Token Swap.
    Read More
  • New Feature: Price Alerts are now live. You can now add price alert for price rise or drop from the trade pages.
  • Update: Segwit addresses for BTC are live. Users can still deposit to old addresses for 2 days. Withdrawal Fees slashed to .0005 BTC
    yippie
  • Changes: We have changed our bank deposit details for NEFT, IMPS, RTGS. Kindly check the deposits page for new details.
    See the New Bank Details
  • New Feature: Introducing Digital Assets Margin Trading in India
    Check it out now
  • OMG & VEN Limited Time Trade Offer: Trade fee on both buy & sell side for OMG & VEN slashed to 0.1% starting from 6:00PM 2nd Apr, 2018 till 12:00PM 3rd April, 2018
    Trade Now
  • Multiple Contests: Deposit, Trade & win with VEN, ICX, REQ, OMG, ADA, ZIL, NCASH, POLY & EOS. Check the corresponding trade pages for more details
    Check Now
  • CONTEST: Deposit 100 EOS and trade it. Get 0.4 EOS free. Deposits from 3:00 PM, 27th March would be considered
    Trade Now
  • CONTEST: Deposit 500 POLY and trade it. Get 3 POLY free. Deposits from 3:00 PM, 27th March would be considered.
    Trade Now
  • • ADA Trading is live! Happy Trading.here
  • CONTEST (Expired): Deposit 5000 TRX and trade it. Get 30 TRX free. Deposits from 12:30 PM, 24th March would be considered
    Trade Now
  • CONTEST: Participate & Win 500 ADA, Free Trading & much more
    Read the Rules |See Leaderboard
  • • New Feature: You can now place Stop-Limit Orders
    Read More
  • • Refer and earn ₹100 for each invite to Bitbns
    Know More
  • • Now you can Follow Blockchain, Cryptocurrency News & Updates on Bitbns
    Read More
  • • As an added layer of security, 2FA is now mandatory for withdrawals. If you haven't enabled 2-factor Authentication, you can enable it now.
    Enable 2FA Now
  • • The Mega Flash Sale Week @Bitbns from 5th - 13th March.yippie
    Read More
  • • Withdrawals would be unavailable during bank holidays and will only be open from 9:30AM to 5PM on other days.
  • The official Bitbns App is now available:
    Google Play

    Apple App Store

Bitbns Bug Bounty Program

Summary

- If you spot any security issue, you will be eligible for a reward, provided you report it directly to us

- Reward will be based on the severity of the issue (at least ₹1000 assured)

- Send a description of the issue, along with details on how to reproduce it, to:[email protected]

Table of Contents

  1. Intro
  2. Guidelines
  3. Scope
    a. Qualifying vulnerabilities
    b. Non-Qualifying vulnerabilities
    c. Non-Qualifying vulnerabilities — Mobile Apps
  4. Communications from Bitbns
  5. Rewards
  6. Reporting format

Help us to secure Bitbns further!

Bitbns invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts in cryptocurrencies. Though we welcome reporting of non-security issues, please note that only genuine security issues are eligible for rewards and we may not be able to respond to non-security issues. Send detailed description at [email protected]

Guidelines

All researchers are expected to:

  1. Report their finding by writing to us directly at [email protected] without making any information public. We will confirm receipt within 72 working hours of submission.
  2. Keep the information about any vulnerability you've discovered confidential between Bitbns & yourself until we have resolved the problem.
  3. Based on the criticality level we might take 2 days to 2 weeks to fix the vulnerability.
  4. Disclosure of the vulnerability to public, social media or a third party will result in suspension from Bitbns's Bug Bounty and Secure Bitbns Reward Program.
  5. Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  6. Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
    - Working with you to understand and resolve the issue quickly
    - Suitably reward your efforts
    - Not pursue or support any legal action related to your research

Scope

Website: https://bitbns.com

Mobile Apps: (Android, IOS)

Out-of-Scope Properties: Any subdomain which is not connected to Bitbns.com, Android and iOS mobile Apps directly.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  1. Cross-site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. Server-Side Request Forgery (SSRF)
  4. SQL Injection
  5. Server-Side Remote Code Execution (RCE)
  6. XML External Entity Attacks (XXE)
  7. Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
  8. Exposed Administrative Panels that don't require login credentials
  9. Directory Traversal Issues
  10. Local File Disclosure (LFD) and Remote File Inclusion (RFI)
  11. Payments Manipulation
  12. Flaw in 3rd party integrations to make free orders from Bitbns merchants
  13. Server-side code execution bugs
Non-Qualifying Vulnerabilities
  1. Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
  2. Reports that state that software is out of date/vulnerable without a 'Proof of Concept'.
  3. Host header issues without an accompanying POC demonstrating vulnerability.
  4. XSS issues that affect only outdated browsers.
  5. Stack traces that disclose information.
  6. Clickjacking and issues only exploitable through clickjacking.
  7. CSV injection. Please see this article: https://goo.gl/bamS8l
  8. Best practices concerns.
  9. Highly speculative reports about theoretical damage. Be concrete.
  10. Self-XSS that can not be used to exploit other users.
  11. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  12. Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated.
  13. Denial of Service Attacks.
  14. Brute Force Attacks
  15. Reflected File Download (RFD).
  16. Physical or social engineering attempts (this includes phishing attacks against Bitbns employees).
  17. Content injection issues.
  18. Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  19. Missing autocomplete attributes.
  20. Missing cookie flags on non-security-sensitive cookies.
  21. Issues that require physical access to a victim's computer.
  22. Missing security headers that do not present an immediate security vulnerability.
  23. Fraud Issues.
  24. Recommendations about security enhancement.
  25. SSL/TLS scan reports (this means output from sites such as SSL Labs).
  26. Banner grabbing issues (figuring out what web server we use, etc.).
  27. Open ports without an accompanying POC demonstrating vulnerability./li>
  28. Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
  29. Entering the Bitbns offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
Non-Qualifying Vulnerabilities – Mobile Apps
  1. Shared links leaked through the system clipboard.
  2. Any URIs leaked because a malicious app has permission to view URIs opened
  3. Absence of certificate pinning
  4. Sensitive data in URLs/request bodies when protected by TLS
  5. User data stored unencrypted on external storage and private directory.
  6. Lack of obfuscation is out of scope
  7. auth "app secret" hard-coded/recoverable in apk
  8. Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
  9. Lack of binary protection control in android app
  10. Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  11. Path disclosure in the binary
  12. Snapshot/Pasteboard leakage
  13. Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)

Communication from Bitbns

We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclose it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.

Rewards

The monetary rewards for every valid security bug would be based on criticality of the issue and can only be credited to your Bitbns wallet in the form of cryptocurrencies . However, minimum monetary reward is 1000 Indian Rupees.

Reporting Format

If you believe you've found security vulnerability in one of our products or platforms, please send it to us by emailing at [email protected]. Please include the following details in your report:

  1. Description of the location and potential impact of the vulnerability
  2. A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us

Start Trading in an
Instant

Join India's best digital currency trading platform.

Sign Up For Free