submit bug report: https://www.coinpayments.net/help-bug-bountyAt CoinPayments, we are committed to providing a safe and secure payment platform. We constantly improve our services and carry out security updates to make sure your details are safe. In order to achieve the utmost security, we are interested in receiving any information about vulnerabilities or bugs. In return you'll be awarded. We are particularly interested in vulnerabilities in our payment flow.
Reward levels
Attack types and issues have been separated into reward groups as follows. Issues that are not (yet) partitioned in a reward group will be assessed and by us and rewarded accordingly.
Very low priority ($50+)
Non-persistent XSS
Mixed content
Tab-nabbing
Low priority ($100+)
Provisioning errors
Information leaks (excluding user data)
Low severity issues
Medium priority ($250+)
Persistent XSS
CSRF on sensitive forms
High priority ($500+)
Customer data disclosure
Authentication bypass
Critical priority ($1000+)
SQL Injection
Arbitrary code execution
Remote file inclusion
Privilege escalation
Access to user wallets
Program rules
Only the first person to report a vulnerability will be awarded
Reports have to follow our disclosure guidelines
Full details have to be shared about the problems found
Disruption of services, compromising/sharing of any user data or breaking the law is strictly forbidden
Attacks that can result in harm to the reliability of our service are forbidden. Attacks that can result in data integrity issues are also forbidden. (D)DoS, spam attacks et cetera are strictly forbidden.
Don't use automated tools to search for vulnerabilities. Your CoinPayments account can get suspended as a result.
Attacks involving social engineering, phishing, et cetera of CoinPayments staff and users are strictly forbidden.
Do not perform any attacks that are in violation of the law.
A report shall have detailed steps to reproduce the issue, including links you visited, screenshots or screencasts where needed.
A report shall include versions of software and all factors that played a role in the attack (browser, OS, et cetera.)
Disclosure Guidelines
Finders shall adhere to the rules
Finders shall respect privacy and make effort not to access user data
Don't publish issues or bugs without our consent. Wait at least 10 business days before publishing details about the report
Don't do harm to our service or our users
If we find above rules are not adhered to your report will not be eligible for a bounty
What you can expect from us
Our security team will address your reports and questions as quickly as possible
We will not take any legal action if you play by the rules
Timely pay-out of your bounty to a BTC address of your choice
Unqualified Reports
Issues that pertain to anything forbidden in the program rules
Reports generated by automated tools
Software issues that are made public
Reports that do not include testing or context specific to CoinPayments
Issues that require you to already have access to a victim's account, physical device, and/or registered email account.
Denial of Service attacks
Brute Force attacks
Spam techniques (DKIM / SPF et cetera)
Social Engineering issues
Content injection/spoofing
Path disclosure
Version information disclosure
Issues that we are already aware of
Disclosure of trivial, non-sensitive public information
Vulnerabilities in our official plugins that are specific to the shopping cart system, rather than our plugin
Issues regarding spoofed e-mails
HTTP Security Headers related issues without a proof of concept leveraging the issue
Issues regarding SSL/TLS cipher suites without a proof of concept leveraging the issue
Issues that can't be reproduced in the latest major browser versions (Edge, Firefox, Chrome, Safari)
Issues leveraging the presence of browser extensions
Contact/report
To contact our security department simply e-mail security [at] coinpayments.net
