submit bug report: https://crypto.comCrypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Note: This program is for the disclosure of software security vulnerabilities only.
Program Rules
Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
By submitting a bug, you agree to be bound by the rules.
Scope
In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page
An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.
All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].
Note: Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.
For your reported vulnerability to be eligible, you must:
Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
Out-of-scope Vulnerabilities
Non-Qualifying Vulnerabilities in the Crypto.com Exchange
Theoretical vulnerabilities without actual proof of concept
Email verification deficiencies, expiration of password reset links, and password complexity policies
Clickjacking/UI redressing with minimal security impact
Email enumeration (E.g. the ability to identify emails via password reset)
Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
Tab-nabbing Self-XSS Denial of service (DoS) Spamming Usability issues
Vulnerabilities only exploitable on out-of-date browsers or platforms
Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI
Reports from automated tools or scans, without exploitability demonstration
Vulnerabilities related to autofill web forms
Use of known vulnerable libraries without actual proof of concept
Lack of security flags in cookies
Issues related to unsafe SSL/TLS cipher suites or protocol version
Content spoofing Cache-control related issues Exposure of internal IP address or domains
Missing security headers that do not lead to direct exploitation
CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)
Vulnerabilities that require physical access to a user's device
Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)
Non-Qualifying Vulnerabilities in the Crypto.org Chain
Vulnerabilities in Intel SGX
Vulnerabilities in Cosmos SDK
Vulnerabilities in a dependent 3rd party library
Vulnerabilities in the demo wallet example in HERE
Missing features, missing best practices, known limitations, known bugs, e.g. >⅓ Byzantine faults
Non-Qualifying Vulnerabilities for CRO Swap assets
The following are not eligible:
The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;
Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);
Bugs in any third party contract or platform that interacts with CRO swap;
Non-Qualifying Vulnerabilities in the Mobile Apps
Any CRO cashback gained via a typical purchase, payment or cash advance
Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened
Absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on external storage and private directory.
Lack of obfuscation is out of scope
auth "app secret" hard-coded/recoverable in APK.
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI redressing with minimal security impact.
Distributed denial of service attacks (DDOS).
DNSSEC Misconfiguration
Lack of binary protection (anti-debugging) controls.
Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Path disclosure in the binary
Snapshot/Pasteboard leakage
Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Require physical connection to the device with developer-level debugging tool including but not limited to ADB.
Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.
Scenarios requiring excessive user interaction or tricking users like phishing.
Exploit is based on a complex scenario or the probability of exploit is very low.
Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.
