Bug Bounty
We’re doing our best to ensure the security and reliability of our system - we’re testing our
system daily and using few-layers monitoring software. But we want you, our community members,
to help us improve the product and make it even better. So if you discover any bugs, we
appreciate your cooperation and reporting it to us, so we can fix it instantly. For this kind a
nobility, those members will be awarded.
Investigation and Reporting Rules
Correct investigation and reporting rules:
- Don’t make the bug public before it has been fixed
- Only report the issue or bug to us and not to anyone else.
-
Don’t perform any attack that could harm the reliability/integrity of our services or data.
DDoS/spam attacks are not allowed.
-
Don’t encroach to others users (in our system) private data, don’t destroy data, try to
dislocate our services and other malicious activity.
-
In the process of investigating the bug, only try to that on your own account, but not on
other users.
-
No non-technical attacks such as social engineering, phishing, or physical attacks against
our employees, users, or infrastructure.
-
When in doubt, email us [email protected]
In general, please investigate and report bugs in a reasonable way, which will not to be
disruptive or harmful to us or our users.
Rules for us
- We will respond as quickly as possible to your report
- We will keep you updated as we work to fix the bug you have reported
- We will not take legal action against you if you play by the rules.
Eligibility
In general, you may be rewarded for any error that is causing vulnerability to both the security
of our site and the integrity of our system. However, it is entirely up to us to decide whether
the error is large enough to be remunerated.
Security issues that would normally be appropriate (although not necessarily in all cases)
include:
- Privilege Escalation
- Authentication Bypass
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Remote Code Execution
- Code Injection
- Clickjacking
- Leakage of Sensitive Data
Ineligibility
The things that will not be rewarded:
-
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the
main website.
-
Bugs already known to us, or already reported by someone else (reward goes to first
reporter).
- Issues that aren’t reproducible.
- Vulnerabilities affecting outdated or unpatched browsers.
- Bugs that have not been responsibly investigated and reported.
- Issues that we can’t reasonably be expected to do anything about.
-
Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack,
etc.
Reward
There is no fixed price for submissions. All of them will be valued, and the benefits will be
given based on impact.
The minimum remuneration is 100 USD of which 50% paid in BTC and 50% paid in CST token. At the
moment, we do not set the maximum benefit. Rewards will be issued if you are the first to
present a specific vulnerability, and your report is determined that our team of answers will
resolve the issue in question. We will issue only one reward per bug.
How to Report a Bug
-
Send your bug report to [email protected]
(topic: BugBounty)
- Write us your BTC wallet address for payment.
-
By sending us a report - try to attach as much information as you have, including its
potential impact, and steps for reproducing it or proof of concept.
- Please give us 3 working days for us to respond before sending another email.