[{"id":3539871,"new_policy":"=============================================================\n\nNOTE: THIS PROGRAM IS CURRENTLY SUSPENDED. PLEASE DO NOT SUBMIT ANY MORE REPORTS.\n\n=============================================================\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-04T01:25:29.583Z"},{"id":3539870,"new_policy":"=============================================================\n\nNOTE: THIS PROGRAM IS CURRENTLY SUSPENDED. PLEASE DO NOT SUBMIT ANY MORE REPORTS.\n\n=============================================================\n\n\n\n\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\nTHIS HACKERONE PROFILE RELATES TO BINARY.COM'S CASHIER SYSTEM (cashier.binary.com), WHICH IS A SEPARATE SYSTEM TO BINARY.COM'S MAIN WEBSITE (which you may probe using the profile https://hackerone.com/binarycom/)\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domain: cashier.binary.com\nThis is binary.com's cashier system, which is based on the doughflow.com system. It is a separate system to the rest of the binary.com website. To access the system, please open an account on binary.com, upgrade it to a real-money account, then click on the Cashier section.\n\nThe following issues are also out-of-scope:\n\n- Clickjacking (X-Frame-Options is intentionally disabled)\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-04T01:23:07.343Z"},{"id":3539869,"new_policy":"=============================================================\nNOTE: THIS PROGRAM IS CURRENTLY SUSPENDED. PLEASE DO NOT SUBMIT ANY MORE REPORTS.\n=============================================================\n\n\n\n\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\nTHIS HACKERONE PROFILE RELATES TO BINARY.COM'S CASHIER SYSTEM (cashier.binary.com), WHICH IS A SEPARATE SYSTEM TO BINARY.COM'S MAIN WEBSITE (which you may probe using the profile https://hackerone.com/binarycom/)\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domain: cashier.binary.com\nThis is binary.com's cashier system, which is based on the doughflow.com system. It is a separate system to the rest of the binary.com website. To access the system, please open an account on binary.com, upgrade it to a real-money account, then click on the Cashier section.\n\nThe following issues are also out-of-scope:\n\n- Clickjacking (X-Frame-Options is intentionally disabled)\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-04T01:22:35.017Z"},{"id":2000551,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\nTHIS HACKERONE PROFILE RELATES TO BINARY.COM'S CASHIER SYSTEM (cashier.binary.com), WHICH IS A SEPARATE SYSTEM TO BINARY.COM'S MAIN WEBSITE (which you may probe using the profile https://hackerone.com/binarycom/)\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domain: cashier.binary.com\nThis is binary.com's cashier system, which is based on the doughflow.com system. It is a separate system to the rest of the binary.com website. To access the system, please open an account on binary.com, upgrade it to a real-money account, then click on the Cashier section.\n\nThe following issues are also out-of-scope:\n\n- Clickjacking (X-Frame-Options is intentionally disabled)\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-17T14:22:10.206Z"},{"id":1997282,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\nTHIS HACKERONE PROFILE RELATES TO BINARY.COM'S CASHIER SYSTEM (cashier.binary.com), WHICH IS A SEPARATE SYSTEM TO BINARY.COM'S MAIN WEBSITE (which you may probe using the profile https://hackerone.com/binarycom/)\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domain: cashier.binary.com\nThis is binary.com's cashier system, which is based on the doughflow.com system. It is a separate system to the rest of the binary.com website. To access the system, please open an account on binary.com, upgrade it to a real-money account, then click on the Cashier section.\n\nThe following issues are also out-of-scope:\n\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-17T08:42:54.567Z"}]