Bitbns invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts in cryptocurrencies. Though we welcome reporting of non-security issues, please note that only genuine security issues are eligible for rewards and we may not be able to respond to non-security issues. Send detailed description at [email protected]
All researchers are expected to:
Report their finding by writing to us directly at [email protected] without making any information public. We will confirm receipt within 72 working hours of submission.
Keep the information about any vulnerability you've discovered confidential between Bitbns & yourself until we have resolved the problem.
Based on the criticality level we might take 2 days to 2 weeks to fix the vulnerability.
Disclosure of the vulnerability to public, social media or a third party will result in suspension from Bitbns's Bug Bounty and Secure Bitbns Reward Program.
Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to: - Working with you to understand and resolve the issue quickly - Suitably reward your efforts - Not pursue or support any legal action related to your research
Missing cookie flags on non-security-sensitive cookies.
Issues that require physical access to a victim's computer.
Missing security headers that do not present an immediate security vulnerability.
Recommendations about security enhancement.
SSL/TLS scan reports (this means output from sites such as SSL Labs).
Banner grabbing issues (figuring out what web server we use, etc.).
Open ports without an accompanying POC demonstrating vulnerability./li>
Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
Entering the Bitbns offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
Non-Qualifying Vulnerabilities – Mobile Apps
Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened
Absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on external storage and private directory.
Lack of obfuscation is out of scope
auth "app secret" hard-coded/recoverable in apk
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
Lack of binary protection control in android app
Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Path disclosure in the binary
Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
Communication from Bitbns
We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclose it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.
The monetary rewards for every valid security bug would be based on criticality of the issue and can only be credited to your Bitbns wallet in the form of cryptocurrencies . However, minimum monetary reward is 1000 Indian Rupees.
If you believe you've found security vulnerability in one of our products or platforms, please send it to us by emailing at [email protected]. Please include the following details in your report:
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us