We take privacy and security very seriously and are always interested in finding security vulnerabilities so that we can address and fix them. If you find a problem, we encourage you to submit your findings to us, they may be compensated as part of a bug bounty.
Depending on the severity and exploitability of the bug, we are paying a bug bounty ranging from 50 EUR - 1 000 EUR. Payments are made in Bitcoin (BTC) on-chain or via lightning network, so you'll need to provide us with a BTC address or a lightning invoice.
- Only submit reports about directly exploitable issues.
- Use only accounts that belong to you personally for testing. Tests must never affect other users.
- Testing should be limited to sites and services operated directly by Coinfinity. We do not pay bounties for reports about third-party services or services which are not under our control.
- The following issues are generally considered out of scope (not an exhaustive list):
- Account / email enumeration
- Attacks requiring MITM or physical access to a user's device
- Brute force attacks
- Clickjacking
- Content spoofing and text injection
- CSRF vulnerabilities
- Denial of Service attacks
- Email SPF, DKIM, and DMARC records
- Invite enumeration
- Missing HttpOnly/Secure cookie flags or Secure Http headers
- Open CORS headers
- Publicly accessible login panels
- Reports from scanners and automated tools
- Reports on external services mapped under our domain *.coinfinity.co
- Self-exploitation (like token reuse and console scripting)
- Social engineering or phishing attacks targeting users or staff
You have found a problem and want to tell us about it?
Please contact us at security@coinfinity.co(PGP) with a detailed description and consider attack scenarios, exploitability and security impact of the bug. Please allow for 2 - 5 days for our answer.