Bug bounty and responsible disclosure

We take privacy and security very seriously and are always interested in finding security vulnerabilities so that we can address and fix them. If you find a problem, we encourage you to submit your findings to us, they may be compensated as part of a bug bounty.

Depending on the severity and exploitability of the bug, we are paying a bug bounty ranging from 50 EUR – 1 000 EUR. Payments are made in Bitcoin (BTC) on-chain or via lightning network, so you’ll need to provide us with a BTC address or a lightning invoice.

– Only submit reports about directly exploitable issues.
– Use only accounts that belong to you personally for testing. Tests must never affect other users.
– Testing should be limited to sites and services operated directly by Coinfinity. We do not pay bounties for reports about third-party services or services which are not under our control.
– The following issues are generally considered out of scope (not an exhaustive list):

– Account / email enumeration
– Attacks requiring MITM or physical access to a user's device
– Brute force attacks
– Clickjacking
– Content spoofing and text injection
– CSRF vulnerabilities
– Denial of Service attacks
– Email SPF, DKIM, and DMARC records
– Invite enumeration
– Missing HttpOnly/Secure cookie flags
– Open CORS headers
– Publicly accessible login panels
– Reports from scanners and automated tools
– Reports on external services mapped under our domain *.coinfinity.co
– Self-exploitation (like token reuse and console scripting)
– Social engineering or phishing attacks targeting users or staff

You have found a problem and want to tell us about it?

Please contact us at security@coinfinity.co (PGP) with a detailed description and consider attack scenarios, exploitability and security impact of the bug. Please allow for 2 – 5 days for our answer.

Cookies verwalten
Close Cookie Preference Manager
Cookie Einstellungen
Bei Auswahl von "Alle Cookies akzeptieren" stimmst du der Verwendung aller Cookies, sowohl von Drittanbietern als auch den eigenen, zu. Bei Cookies die von Drittanbietern gesetzt werden, kann eine Verarbeitung in den USA stattfinden. Wir weisen darauf hin, dass mit den USA zur gegebenen Zeit kein angemessenes Datenschutzniveau besteht und ein Zugriff von US-Behörden auf diese Daten zu keiner Zeitvollständig ausgeschlossen werden kann. Weitere Informationen
Streng erforderlich (immer aktiv)
Cookies, die erforderlich sind, um grundlegende Funktionen der Website zu ermöglichen.
Made by Flinch 77
Oops! Something went wrong while submitting the form.