Unbanked strongly believes in the value of security professionals and developers assisting in keeping our products and users safe. Unbanked has established and encourages the use of responsibly disclosing all security vulnerabilities in our Bug Bounty Program. The Bug Bounty program serves the Unbanked mission by helping us be the most trusted company in the digital currency market.
Unbanked agrees not to initiate legal action for security research performed following all posted Unbanked Bug Bounty policies, including good faith, accidental violations. We believe activities conducted consistent with this policy constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 503(c). We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in the scope of the Bug Bounty Program.
It is required that each researcher submit a notification to use before engaging in conduct that may be inconsistent with or unaddressed by policy.
All bounty submissions are rated by Unbanked and paid out based on vulnerability rating. All payouts
will proceed in USDC or UNBANKED and are defined as a guideline and subject to change.
- All bug reports must be submitted to [email protected]
- Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments.
- If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to produce your conclusions.
- Include your USD Coin (USDC) Address for Payment. All rewards will be issued in USD Coin or UNBANKED.
- The minimum payout is USD Coin (USDC), the equivalent of $50.
Critical severity issues present a direct and immediate risk to a broad array of our users or to Unbanked itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:
- arbitrary code/command execution on a server in our production network.
- Arbitrary queries on a production database.
- We are bypassing our sign-in process, either password or 2FA.
- Access to sensitive production user data or access to internal production systems. High
High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may grant an attacker extensive access. For example:
- XSS, which bypasses CSP
- Discovering sensitive user data in a publicly exposed resource
- Gaining access to a non-critical system to which an end-user account should not have access
Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:
- Disclosing non-sensitive information from a production system to which the user should not have access
- XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
- CSRF for low-risk actionD
Low severity issues allow an attacker to access minimal amounts of data. They may violate an expectation for how something is intended to work, but it will enable nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:
- Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
Reports in which we are not interested to include:
- Vulnerabilities on sites hosted by third parties (support.Unbanked.com, etc.) unless they lead to a vulnerability on the main website. Vulnerabilities and bugs on the Unbanked blog (blog.Unbanked.com)
- Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers.
- Vulnerabilities in third-party applications that make use of Unbanked’s API.
- Vulnerabilities that have not been responsibly investigated and reported.
- Vulnerabilities already known to us or already reported by someone else (reward goes to the first reporter). Issues that aren’t reproducible.
- Vulnerabilities that require an improbable level of user interaction.
- Vulnerabilities that require root/jailbreak on mobile.
- Missing security headers without proof of exploitability.
- TLS Cipher Suites offered.
- Suggestions on best practices.
- Software version disclosure.
- Any report without accompanying proof of concept exploit.
- Issues that we can’t reasonably be expected to do anything about.
- The output from automated tools/scanners.
- Issues without any security impact.