Bounty

Bug Bounty

We’re doing our best to ensure the security and reliability of our system - we’re testing our system daily and using few-layers monitoring software. But we want you, our community members, to help us improve the product and make it even better. So if you discover any bugs, we appreciate your cooperation and reporting it to us, so we can fix it instantly. For this kind a nobility, those members will be awarded.

Investigation and Reporting Rules

Correct investigation and reporting rules:

  • Don’t make the bug public before it has been fixed
  • Only report the issue or bug to us and not to anyone else.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Don’t encroach to others users (in our system) private data, don’t destroy data, try to dislocate our services and other malicious activity.
  • In the process of investigating the bug, only try to that on your own account, but not on other users.
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, email us [email protected]

In general, please investigate and report bugs in a reasonable way, which will not to be disruptive or harmful to us or our users.

Rules for us

  • We will respond as quickly as possible to your report
  • We will keep you updated as we work to fix the bug you have reported
  • We will not take legal action against you if you play by the rules.

Eligibility

In general, you may be rewarded for any error that is causing vulnerability to both the security of our site and the integrity of our system. However, it is entirely up to us to decide whether the error is large enough to be remunerated.

Security issues that would normally be appropriate (although not necessarily in all cases) include:

  • Privilege Escalation
  • Authentication Bypass
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Remote Code Execution
  • Code Injection
  • Clickjacking
  • Leakage of Sensitive Data

Ineligibility

The things that will not be rewarded:

  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
  • Bugs already known to us, or already reported by someone else (reward goes to first reporter).
  • Issues that aren’t reproducible.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Bugs that have not been responsibly investigated and reported.
  • Issues that we can’t reasonably be expected to do anything about.
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.

Reward

There is no fixed price for submissions. All of them will be valued, and the benefits will be given based on impact.

The minimum remuneration is 100 USD of which 50% paid in BTC and 50% paid in CST token. At the moment, we do not set the maximum benefit. Rewards will be issued if you are the first to present a specific vulnerability, and your report is determined that our team of answers will resolve the issue in question. We will issue only one reward per bug.

How to Report a Bug

  • Send your bug report to [email protected] (topic: BugBounty)
  • Write us your BTC wallet address for payment.
  • By sending us a report - try to attach as much information as you have, including its potential impact, and steps for reproducing it or proof of concept.
  • Please give us 3 working days for us to respond before sending another email.