Bug bounty and responsible disclosure

We take privacy and security very seriously and are always interested in finding security vulnerabilities so that we can address and fix them. If you find a problem, we encourage you to submit your findings to us, they may be compensated as part of a bug bounty.

Depending on the severity and exploitability of the bug, we are paying a bug bounty ranging from 50 EUR – 1 000 EUR. Payments are made in Bitcoin (BTC) on-chain or via lightning network, so you’ll need to provide us with a BTC address or a lightning invoice.

– Only submit reports about directly exploitable issues.
– Use only accounts that belong to you personally for testing. Tests must never affect other users.
– Testing should be limited to sites and services operated directly by Coinfinity. We do not pay bounties for reports about third-party services or services which are not under our control.
– The following issues are generally considered out of scope (not an exhaustive list):

– Account / email enumeration
– Attacks requiring MITM or physical access to a user's device
– Brute force attacks
– Clickjacking
– Content spoofing and text injection
– CSRF vulnerabilities
– Denial of Service attacks
– Email SPF, DKIM, and DMARC records
– Invite enumeration
– Missing HttpOnly/Secure cookie flags or Secure Http headers
– Open CORS headers
– Publicly accessible login panels
– Reports from scanners and automated tools
– Reports on external services mapped under our domain *.coinfinity.co
– Self-exploitation (like token reuse and console scripting)
– Social engineering or phishing attacks targeting users or staff

You have found a problem and want to tell us about it?

Please contact us at security@coinfinity.co (PGP) with a detailed description and consider attack scenarios, exploitability and security impact of the bug. Please allow for 2 – 5 days for our answer.

Managing cookies
Close Cookie Preference Manager
Cookie settings
By selecting “Accept all cookies,” you agree to the use of all cookies, both from third parties and your own. Cookies set by third parties may be processed in the USA. We would like to point out that there is no adequate level of data protection with the USA at any given time and access by US authorities to this data cannot be completely ruled out at any time. More information
Strictly required (always active)
Cookies that are required to enable basic website functions.
Made by Flinch 77
Oops! Something went wrong while submitting the form.