Bug Bounty Program - Bitpanda

Bitpanda GmbH (Bitpanda) Bitpanda.com, Europe's leading retail exchange for buying and selling cryptocurrencies, has made every effort to secure its platform and mobile applications and eliminate all software vulnerabilities in its systems. As part of Bitpanda's security guidelines, we appreciate your cooperation in investigating and reporting any vulnerabilities of the Bitpanda Services (as defined below).

Scope of the Program

This section will give you an overview of the Bitpanda Bug Bounty Program. Please make sure you keep the ruleset in mind before investigating any issues. Bitpanda offers rewards for significant bugs according to this Program.

Bitpanda reserves the right to modify or cancel the Bitpanda Bug Program at Bitpanda's sole discretion and at any time.

Bitpanda Services

The Bitpanda Bug Bounty Program’s scope covers software vulnerabilities in services by Bitpanda. Bitpanda services and their specific domains are (Bitpanda Services):

In-Scope Domain

Tier 1 Assets

Tier 2 Assets

Rewards Structure

The reward that can be expected for your bug report depends on the severity of the reported vulnerability. The table below will give you a general guideline of what you can expect for your investigation efforts:

Rewards Structure for Tire 1 Assets - All rewards will be issued in Bitcoin (BTC). 

Rewards Structure for Tire 2 Assets - All rewards will be issued in Bitcoin (BTC).

Attention

Rewards will be paid out in Bitcoins (BTC)

Once your submission is accepted, please provide either of the following to receive your reward.

• Email address registered on our Bitpanda platform OR
• Your BTC wallet address

Focus Areas:

In the following, you will find some examples of security issues that may be eligible for a reward in accordance with this Program:

• Leakage of data
• Getting malicious access to user funds
• Price manipulation within the platform
• Code injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Remote code execution
• Privilege escalation
• Authentication bypass
• Remote Code Execution (RCE)
• XML External Entity Injection (XXE)
• Business logic Vulnerabilities (with impact)
• Vulnerabilities of Non-Bitpanda Services directly lead to a relevant impact on a Bitpanda Service.

Complete Bug Report

Bitpanda needs documentation of the existing vulnerability. This is called a vulnerability report. Bitpanda can only accept complete bug reports after sending them via Zendesk.

https://support.bitpanda.com/hc/en-us/requests/new?vulnerability=1.

A bug report is complete if Bitpanda can reproduce the bug and can assess the potential impact.

How can I make sure it is complete?

• Add as much information in your report as you can.
• Add a complete description of the bug.
• Point out the potential impact of the bug.
• Guide to reproduce the bug (proof of concept).

Out of Scope Domain

Non-Bitpanda Services may be eligible for a bug report if such vulnerability directly leads to a relevant impact on a Bitpanda Service.

 Additionally, all kinds of other websites, software, applications, etc., are explicitly out of the Program's scope, in particular:

 Websites not provided by Bitpanda

• External websites, software, applications, etc., linking to Bitpanda
• External websites, software, applications, etc., using Bitpanda's API
• Websites not being Bitpanda Services or Non-Bitpanda Services as outlined above
• No exception is existent for external websites.

Out-of-Scope Vulnerabilities

All vulnerabilities of Bitpanda Services that require or are related to the following are not eligible for a bug report and reward and are called ineligible vulnerabilities. Such ineligible vulnerabilities are, in particular:

• The use of Automated scanners is strictly prohibited
• UX issues not relating to security impacts
• Failure to Invalidate Session On Password Reset and/or Change
• Vulnerabilities of any third-party software or application that interacts with Bitpanda Services.
• Attacks related to email servers, email protocols, and email security (e.g., SPF, DMARC, DKIM, or email spam)
• Social engineering & identity theft actions
• Disclosure of known public files or directories (e.g., robots.txt).
• Attacking physical security, DDOS, spamming, etc.
• Vulnerabilities of Non-Bitpanda Services not leading to a relevant impact on a Bitpanda Service.
• Vulnerabilities were related to outdated, unpatched browsers or operating systems.
• Vulnerabilities Bitpanda can't reproduce.
• Vulnerabilities in any open-source library.
• Vulnerabilities in existing banking functionalities (e.g., credit cards and wire transfers) can lead to abuse.
• Google Maps API Key
• Theoretical vulnerabilities without actual proof of concept.
• Clickjacking/UI redressing/Tap Jacking
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.,
• Strict-Transport-Security.
• X-Frame-Options.
• X-XSS-Protection.
• X-Content-Type-Options.
• Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
• Content-Security-Policy-Report-Only.
• Cache-Control and Pragma
• lack of HSTS
• Lack of Secure/HTTPOnly flags
• SSL/TLS Issues, e.g.,
• SSL Attacks such as BEAST, BREACH, and Renegotiation attacks.
• SSL Forward secrecy is not enabled.
• SSL weak/insecure cipher suites.
• Most brute-forcing issues without an apparent impact
• Reports of missing “best practices” or other guidelines do not indicate a security issue.
• "Self" XSS
• Username / email enumeration.
• Insufficient session expiration
• Logout Cross-Site Request Forgery (logout CSRF).
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Issues that require physical access to a victim’s computer/device
• Missing reCAPTCHA/Rate Limit.
• Login or Forgot Password page brute force and account lockout not enforced.
• Descriptive error messages (e.g., Stack Traces, application or server errors).
• Exploits that are only possible on Android version 9.x and below
• Exploits that are only possible on IOS version 12.x and below
• Exploits that are only possible on a jailbroken device
• Jailbreak and root detection
• Crashing your application
• Testing for weak credentials
• Email bombing/Flooding/rate limiting
• Vulnerabilities Bitpanda can't reasonably fix or do anything about it (e.g., heart bleed bug or bugs concerning telecommunication systems)
• Vulnerabilities that have not been responsibly investigated.
• Vulnerabilities that have not been thoroughly reported.
• Vulnerabilities that have been known by us or reported by someone else first.

Security Researcher

Every person participating in the Bitpanda Bug Bounty Program is called a “Security Researcher.” To be classified as a Security Researcher, you must fully comply with this Program. According to this Program, only fully compliant “Security Researchers” may get rewards.

Bug Report

A Bug report summarizes your findings concerning a detected vulnerability of Bitpanda Services. In general, a bug report must be a valid, in-scope report to qualify as a bug report and, hence, to qualify for a reward. Please find the compliance bug report requirements under "Complete Bug Report."

First Reporter Rule

A Security Researcher, reporting an issue first is called the First Reporter. Rewards for a specific vulnerability go to the First Reporter. A subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come, first serve principle). Suppose Bitpanda is already aware of a specific vulnerability when a submitted bug report reports the same or similar vulnerability already known. In that case, Bitpanda is deemed to be the First Reporter.

Evaluation of a bug report

The evaluation of your complete bug report will be done solely by Bitpanda. As mentioned, the 4 researcher parameters stated in point "Rewards" must be fulfilled to be evaluated as a valid bug report. The impact of the found vulnerability will determine the reward as described in the point "Rewards Structure. The reported bug or vulnerability will be evaluated based on impact and Exploitability.

Rewards

Bitpanda grants rewards (also called bounty and/or bounties) for reporting software vulnerabilities in accordance with this Program. Rewards may be granted if the following requirements called the “Researcher Requirements” are collectively fulfilled:

• Responsible Investigation (description in point "Responsible Investigation");
• Complete Bug Report (description in point "Complete Bug Report");
• Eligibility of Vulnerability (description in point "Eligibility of Vulnerability"); and
• Responsible Disclosure (description in point "Responsible Disclosure").

If just one of the above requirements is not fulfilled, this has to be assessed as non-compliance with this Program.

Responsible Investigation

Every investigation must be done responsibly. The responsible investigation includes, but is not limited to

• Do not destroy data, disrupt or compromise Bitpanda's services, or support third parties with such actions.
• Do not violate the privacy or any rights of Bitpanda's users or support third parties with such actions.
• Do your research in your own name and for your own account. Only target your personal account. The interaction with any other user account(s) is strictly forbidden, in particular, but without limitation to:
• Targeting or an attempt to target other user accounts.
• Any disruption or damage of other user accounts or/or a user's rights.
• Do not use, attempt, or be involved in any kind of
• Social Engineering
• Spam
• Distributed Denial of Service attacks (DDOS)
• Attacking any physical security measures
• Any non-responsible investigation action will result in exclusion from the Bitpanda Bug Bounty Program.

Eligibility of Vulnerability

Every bug in a Bitpanda Service leading to a relevant vulnerability could be eligible for a reward. The focus lies on.

• Leakage of data
• Classification of endangered data
• Compromising the security of user funds
• Compromising the integrity of Bitpanda's trading system

Responsible Disclosure

• bitpanda doesn’t allow Disclosure of any vulnerability reported, even if the reported vulnerability is fixed.
• Sharing any information about the vulnerability to any third party is prohibited.
• The Security Researcher must provide Bitpanda with a reasonable amount of time to fix the vulnerability.
• Defrauding Bitpanda itself or any users of Bitpanda Services is prohibited.
• Allowing, enabling, or supporting other parties to defraud Bitpanda itself or any user of Bitpanda Services is prohibited.
• Gaining any profit for your own or allowing third parties to gain any profit from the vulnerability is prohibited (except the bounty under this Program)
• Sharing any gained sensitive information to any other third party is prohibited.
• Reports must be done without any demands, threats, ransoms, or other conditions.
• Security Researchers shall ensure that the integrity and confidentiality of the detected issues and any of Bitpanda's user data are secured and preserved.
• Any breaking or neglecting of these rules will violate the Bitpanda Bug Bounty Program.