Bitpanda GmbH (Bitpanda) Bitpanda.com as Europe's leading retail exchange for buying and selling cryptocurrencies has made every effort to secure its platform and mobile applications and to eliminate all software vulnerabilities in its systems. As part of Bitpanda's security guidelines we appreciate your cooperation in investigating and reporting any vulnerabilities of the Bitpanda Services (as defined below).
This bug bounty program gives you the framework on how to act as a security researcher and be rewarded for finding and reporting bugs within the Bitpanda ecosystem (Bitpanda Bug Bounty Program or Program).
This section will give you an overview of the Bitpanda Bug Bounty Program. Please make sure you keep the ruleset in mind before investigating any issues. Bitpanda offers rewards for significant bugs pursuant to this Program.
Bitpanda reserves the right to modify or cancel the Bitpanda Bug Program at Bitpanda's sole discretion and at any time.
Every person participating in the Bitpanda Bug Bounty Program is called a “Security Researcher”. To be classified as a Security Researcher you must fully comply with this Program. Only fully compliant “Security Researchers” may get rewards according to this Programm.
Not part of the Bitpanda Bug Bounty Program and explicitly out of the Program's scope are following subdomains, hosted by third parties (Non-Bitpanda Services).
Non-Bitpanda Services may be eligible for a bug report, if such vulnerability directly leads to a relevant impact on a Bitpanda Service.
Additionally, all kind of other websites, software, applications etc. are explicitly out of the Program's scope, in particular:
No exception is existent for external websites.
A Bug report is a summary of your findings concerning a detected vulnerability of Bitpanda Services. In general, a bug report must be valid, in scope report to qualify as a bug report and, hence, to qualify for a reward. Please find the requirements for a compliant bug report under point "Complete Bug Report".
A Security Researcher reporting an issue first is called the First Reporter. Rewards for a specific vulnerability go to the First Reporter. A subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come first serve principle). Provided that Bitpanda is already aware of a specific vulnerability at the time of a submitted bug report reporting the same or similar vulnerability as already known, Bitpanda is deemed to be the First Reporter.
Bitpanda grants rewards (also called bounty and/or bounties) for reporting software vulnerabilities in accordance with this Program. Rewards may be granted if the following requirements called the “Researcher Requirements” are collectively fulfilled:
If just one of the above requirements is not fulfilled, this has to be assessed as a non-compliance with this Program.
Bitpanda decides at its sole and own discretion whether a reward is granted and the exact amount of such bounty. Further details on rewards are described in point Rewards. A granted reward will be paid to the Bitpanda fiat wallet (EUR) in the Bitpanda user account of the respective successful First Reporter. This means that a First Reporter requires a user account on the Bitpanda platform for receiving the reward.
Every investigation must be done responsibly. Responsible investigation includes, but is not limited to:
Any non-responsible investigation action will result in an exclusion of the Bitpanda Bug Bounty Program.
Bitpanda needs a documentation of the existing vulnerability. This is called a bug report. Bitpanda can only accept complete bug reports, after sending it to [email protected] or sending it via the means of communication provided by Hackerone.
A bug report is complete, if Bitpanda can reproduce the bug and can assess the potential impact.
How can I make sure it is complete?
In general, every bug in a Bitpanda Service leading to a relevant vulnerability could be eligible for a reward. The focus lies on:
In the following you find some examples for security issues which may be eligible for a reward in accordance with this Program:
All vulnerabilities of Bitpanda Services that require or are related to the following are not eligible for a bug report and/or reward and called ineligible vulnerabilities. Such ineligible vulnerabilities are in particular:
The eligibility of a vulnerability is assessed solely and exclusively by Bitpanda.
Security Researchers must adhere to and follow the principles of “Responsible Disclosure” as outlined in the following. Responsible disclosure rules are:
Any breaking or neglection of these rules will be a violation of the Bitpanda Bug Bounty Program.
The reward that can be expected for your bug report depends on the severity of the reported vulnerability. The table below will give you a general guideline what you can expect for your investigation efforts:
|Vulnerability||Reward in EUR (net)|
|Critical||dependent on severeness of vulnerability|
The above mentioned amounts are minimum bounties for each level of vulnerability. A concrete bounty may excess the minimum amount based on the severity of the vulnerability and/or the Security Researcher's technique and reporting quality. The granted reward will be determined by the impact on the Bitpanda Service.
Previous granted bounty amounts are not considered precedent for future bounty amounts.
The evaluation of your complete bug report will be done solely by Bitpanda. As mentioned the 4 researcher parameters stated out in point "Rewards" must be fulfilled to be evaluated as a valid bug report. The impact of the found vulnerability will determine the reward as described in point "Rewards Structure. The reported bug or vulnerability will be evaluated based on two factors: Impact and Exploitability.
To give you an idea, how this works we provide you with some easy examples.
Impact in general means the damage an abuser can cause. This refers but is not limited to financial damages, functional damages, exploitation on confidentiality, integrity and availability of sensitive information & damages which could result in reputational damages.
The scope of evaluation concerning the impact ranges from low to critical.
Exploitability refers to the difficulty the system can be “gamed” or security measures can be bypassed.
Please note that all these examples refer to unauthorized actions and not the normal intended functions (e.g. data export, normal trading function) by Bitpanda.
Severity is used for calculating the reward and is a combination of impact and exploitability.
The formula can be seen as:
Impact (Damage) * Exploitability (How easy is it to repeat the damage) = Vulnerability Tier