We take privacy and security very seriously and are always interested in finding security vulnerabilities so that we can address and fix them. If you find a problem, we encourage you to submit your findings to us, they may be compensated as part of a bug bounty.
Depending on the severity and exploitability of the bug, we are paying a bug bounty ranging from 50 EUR – 1 000 EUR. Payments are made in Bitcoin (BTC) on-chain or via lightning network, so you’ll need to provide us with a BTC address or a lightning invoice.
– Only submit reports about directly exploitable issues.
– Use only accounts that belong to you personally for testing. Tests must never affect other users.
– Testing should be limited to sites and services operated directly by Coinfinity. We do not pay bounties for reports about third-party services or services which are not under our control.
– The following issues are generally considered out of scope (not an exhaustive list):
– Account / email enumeration
– Attacks requiring MITM or physical access to a user's device
– Brute force attacks
– Clickjacking
– Content spoofing and text injection
– CSRF vulnerabilities
– Denial of Service attacks
– Email SPF, DKIM, and DMARC records
– Invite enumeration
– Missing HttpOnly/Secure cookie flags or Secure Http headers
– Open CORS headers
– Publicly accessible login panels
– Reports from scanners and automated tools
– Reports on external services mapped under our domain *.coinfinity.co
– Self-exploitation (like token reuse and console scripting)
– Social engineering or phishing attacks targeting users or staff
You have found a problem and want to tell us about it?
Please contact us at security@coinfinity.co (PGP) with a detailed description and consider attack scenarios, exploitability and security impact of the bug. Please allow for 2 – 5 days for our answer.
