[{"id":3759557,"new_policy":"# Our Products\nAs a globally regulated company, Crypto.com is required to follow various laws and regulations in order to provide you access to our services. This means that to gain access to our main product, the Crypto.com App, you will need to go through a Know-Your-Customer (KYC) signup flow. You can find more information at https://help.crypto.com/en/articles/6185958-how-to-sign-up-for-the-crypto-com-app. We encourage you to download our app at https://download.crypto.com!\n\nOur app has over 100 million users and, as of December 2024, is the highest volume cryptocurrency trading app in the United States. While we understand that going through a sign-up process to gain access to our crown jewels is not ideal for ethical hackers, we are committed to making your experience with our program as quick, friendly, and fair as possible.\n\nPlease email us at hackerone@crypto.com if you have any questions, comments, or need help related to our Bug Bounty program.\n\nThanks for reading and for considering hacking us!\n\n# Scope Message\nWe will accept reports on any asset that is within Crypto.com's control. For assets outside of our control, like vendors (e.g. https://help.crypto.com), we will accept reports if the vulnerability was caused due to a misconfiguration by us.\n\n# Commitments\nBy engaging in any activity under this HackerOne program:\n* **We** commit to working with you to making Crypto.com, our customers, and our products more secure\n* We commit to responding to all reports as soon as possible and in good-faith\n* We commit to honesty and transparency with you\n* We commit to evaluating all reports for bounty eligibility fairly and neutrally\n* We commit to making ourselves available upon request when reasonable to assist you\n\n\n- **You** commit to not engaging in any activities under this or any other Crypto.com-affiliated HackerOne programs as or with the assistance of a current or former employee, contractor, or vendor\n- You commit to not attempting to sabotage or disrupt any of our operations\n- You commit to following HackerOne's Code of Conduct\n- You commit to reporting potential security issues only through our Bug Bounty program\n\n# Smart Contracts\nFor vulnerabilities against in-scope smart contracts, please note that we score internally only based on potential impact to user funds and cryptographic security rather than CVSS 3.1. As always, all reports must come with a valid Proof-of-Concept. This means that reports operating on theoretical attacks such as governance attacks, incorrect data supplied by third-party oracles, sybil attacks, or lacks of liquidity are not considered valid reports.\n\nWe only consider the latest mainnet releases of blockchain assets as in-scope. We will not consider reports against assets marked \"Mock\" or \"Test\". Please note that any report which included draining another individual's funds or blocking them access to their funds without their consent will automatically make you ineligible for this program.\n\n# Extended Policy\nThis document is intended to be concise and precise. An extended version of our HackerOne policy, including sections such as **Out-of-scope Vulnerabilities** and **Vulnerability Severity Definitions**, can be found [here](https://github.com/crypto-com/h1-policy-guidelines).\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hack both the most regulated and licensed cryptocurrency platform in the world, and the highest-paying Bug Bounty program on HackerOne. Earn up to $2 million. Make the world more secure. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Publicly Available Credentials\",\"details\":\"Crypto.com does not award reports of publicly available credentials. We will award reports for credentials that you can demonstrate were exposed due to a fault of Crypto.com.\"}","{\"category\":\"Internally Known Issues\",\"details\":\"We might not be able to provide a bounty if you report an issue that is already known internally. However, we will provide a bounty if you are able to convince us that the severity and impact is greater than previously known.\"}"],"timestamp":"2025-07-21T10:49:13.099Z"},{"id":3746323,"new_policy":"# Our Products\nAs a globally regulated company, Crypto.com is required to follow various laws and regulations in order to provide you access to our services. This means that to gain access to our main product, the Crypto.com App, you will need to go through a Know-Your-Customer (KYC) signup flow. You can find more information at https://help.crypto.com/en/articles/6185958-how-to-sign-up-for-the-crypto-com-app. We encourage you to download our app at https://download.crypto.com!\n\nOur app has over 100 million users and, as of December 2024, is the highest volume cryptocurrency trading app in the United States. While we understand that going through a sign-up process to gain access to our crown jewels is not ideal for ethical hackers, we are committed to making your experience with our program as quick, friendly, and fair as possible.\n\nPlease email us at hackerone@crypto.com if you have any questions, comments, or need help related to our Bug Bounty program.\n\nThanks for reading and for considering hacking us!\n\n# Scope Message\nWe will accept reports on any asset that is within Crypto.com's control. For assets outside of our control, like vendors (e.g. https://help.crypto.com), we will accept reports if the vulnerability was caused due to a misconfiguration by us.\n\n# Commitments\nBy engaging in any activity under this HackerOne program:\n* **We** commit to working with you to making Crypto.com, our customers, and our products more secure\n* We commit to responding to all reports as soon as possible and in good-faith\n* We commit to honesty and transparency with you\n* We commit to evaluating all reports for bounty eligibility fairly and neutrally\n* We commit to making ourselves available upon request when reasonable to assist you\n\n\n- **You** commit to not engaging in any activities under this or any other Crypto.com-affiliated HackerOne programs as or with the assistance of a current or former employee, contractor, or vendor\n- You commit to not attempting to sabotage or disrupt any of our operations\n- You commit to following HackerOne's Code of Conduct\n- You commit to reporting potential security issues only through our Bug Bounty program\n\n# Smart Contracts\nFor vulnerabilities against in-scope smart contracts, please note that we score internally only based on potential impact to user funds and cryptographic security rather than CVSS 3.1. As always, all reports must come with a valid Proof-of-Concept. This means that reports operating on theoretical attacks such as governance attacks, incorrect data supplied by third-party oracles, sybil attacks, or lacks of liquidity are not considered valid reports.\n\nWe only consider the latest mainnet releases of blockchain assets as in-scope. We will not consider reports against assets marked \"Mock\" or \"Test\". Please note that any report which included draining another individual's funds or blocking them access to their funds without their consent will automatically make you ineligible for this program.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hack both the most regulated and licensed cryptocurrency platform in the world, and the highest-paying Bug Bounty program on HackerOne. Earn up to $2 million. Make the world more secure. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Publicly Available Credentials\",\"details\":\"Crypto.com does not award reports of publicly available credentials. We will award reports for credentials that you can demonstrate were exposed due to a fault of Crypto.com.\"}","{\"category\":\"Internally Known Issues\",\"details\":\"We might not be able to provide a bounty if you report an issue that is already known internally. However, we will provide a bounty if you are able to convince us that the severity and impact is greater than previously known.\"}"],"timestamp":"2024-12-10T09:50:42.847Z"},{"id":3745539,"new_policy":"# Our Products\nAs a globally regulated company, Crypto.com is required to follow various laws and regulations in order to provide you access to our services. This means that to gain access to our main product, the Crypto.com App, you will need to go through a Know-Your-Customer (KYC) signup flow. You can find more information at https://help.crypto.com/en/articles/6185958-how-to-sign-up-for-the-crypto-com-app. We encourage you to download our app at https://download.crypto.com!\n\nOur app has over 100 million users and, as of December 2024, is the highest volume cryptocurrency trading app in the United States. While we understand that going through a sign-up process to gain access to our crown jewels is not ideal for ethical hackers, we are committed to making your experience with our program as quick, friendly, and fair as possible.\n\nPlease email us at hackerone@crypto.com if you have any questions, comments, or need help related to our Bug Bounty program.\n\nThanks for reading and for considering hacking us!\n\n# Scope Message\nWe will accept reports on any asset that is within Crypto.com's control. For assets outside of our control, like vendors (e.g. https://help.crypto.com), we will accept reports if the vulnerability was caused due to a misconfiguration by us.\n\n# Commitments\nBy engaging in any activity under this HackerOne program:\n* **We** commit to working with you to making Crypto.com, our customers, and our products more secure\n* We commit to responding to all reports as soon as possible and in good-faith\n* We commit to honesty and transparency with you\n* We commit to evaluating all reports for bounty eligibility fairly and neutrally\n* We commit to making ourselves available upon request when reasonable to assist you\n\n\n- **You** commit to not engaging in any activities under this or any other Crypto.com-affiliated HackerOne programs as or with the assistance of a current or former employee, contractor, or vendor\n- You commit to not attempting to sabotage or disrupt any of our operations\n- You commit to following HackerOne's Code of Conduct\n- You commit to reporting potential security issues only through our Bug Bounty program\n\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hack both the most regulated and licensed cryptocurrency platform in the world, and the highest-paying Bug Bounty program on HackerOne. Earn up to $2 million. Make the world more secure. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Publicly Available Credentials\",\"details\":\"Crypto.com does not award reports of publicly available credentials. We will award reports for credentials that you can demonstrate were exposed due to a fault of Crypto.com.\"}","{\"category\":\"Internally Known Issues\",\"details\":\"We might not be able to provide a bounty if you report an issue that is already known internally. However, we will provide a bounty if you are able to convince us that the severity and impact is greater than previously known.\"}"],"timestamp":"2024-12-02T14:06:12.314Z"},{"id":3745538,"new_policy":"# Our Products\nAs a globally regulated company, Crypto.com is required to follow various laws and regulations in order to provide you access to our services. This means that to gain access to our main product, the Crypto.com App, you will need to go through a Know-Your-Customer (KYC) signup flow. You can find more information at https://help.crypto.com/en/articles/6185958-how-to-sign-up-for-the-crypto-com-app. We encourage you to download our app at https://download.crypto.com!\n\nOur app has over 100 million users and, as of December 2024, is the highest volume cryptocurrency trading app in the United States. While we understand that going through a sign-up process to gain access to our crown jewels is not ideal for ethical hackers, we are committed to making your experience with our program as quick, friendly, and fair as possible.\n\nPlease email us at hackerone@crypto.com if you have any questions, comments, or need help related to our Bug Bounty program.\n\nThanks for reading and for considering hacking us!\n\n# Scope Message\nWe will accept reports on any asset that is within Crypto.com's control. For assets outside of our control, like vendors (e.g. https://help.crypto.com), we will accept reports if the vulnerability was caused due to a misconfiguration by us.\n\n# Commitments\nBy engaging in any activity under this HackerOne program:\n* **We** commit to working with you to making Crypto.com, our customers, and our products more secure\n* We commit to responding to all reports as soon as possible and in good-faith\n* We commit to honesty and transparency with you\n* We commit to evaluating all reports for bounty eligibility fairly and neutrally\n* We commit to making ourselves available upon request when reasonable to assist you\n\n\n- **You** commit to not engaging in any activities under this or any other Crypto.com-affiliated HackerOne programs as or with the assistance of a current or former employee, contractor, or vendor\n- You commit to not attempting to sabotage or disrupt any of our operations\n- You commit to following HackerOne's Code of Conduct\n- You commit to reporting potential security issues only through our Bug Bounty program\n\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hack both the most regulated and licensed cryptocurrency platform in the world, and the highest-paying bug bounty program in our industry and on HackerOne. Earn up to $2 million.\n\nHappy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Publicly Available Credentials\",\"details\":\"Crypto.com does not award reports of publicly available credentials. We will award reports for credentials that you can demonstrate were exposed due to a fault of Crypto.com.\"}","{\"category\":\"Internally Known Issues\",\"details\":\"We might not be able to provide a bounty if you report an issue that is already known internally. However, we will provide a bounty if you are able to convince us that the severity and impact is greater than previously known.\"}"],"timestamp":"2024-12-02T14:00:52.076Z"},{"id":3745502,"new_policy":"# Our Products\nAs a globally regulated company, Crypto.com is required to follow various laws and regulations in order to provide you access to our services. This means that to gain access to our main product, the Crypto.com App, you will need to go through a Know-Your-Customer (KYC) signup flow. You can find more information at https://help.crypto.com/en/articles/6185958-how-to-sign-up-for-the-crypto-com-app. We encourage you to download our app at https://download.crypto.com!\n\nOur app has over 100 million users and, as of December 2024, is the highest volume cryptocurrency trading app in the United States. While we understand that going through a sign-up process to gain access to our crown jewels is not ideal for ethical hackers, we are committed to making your experience with our program as quick, friendly, and fair as possible.\n\nPlease email us at hackerone@crypto.com if you have any questions, comments, or need help related to our Bug Bounty program.\n\nThanks for reading and for considering hacking us!\n\n# Scope Message\nWe will accept reports on any asset that is within Crypto.com's control. For assets outside of our control, like vendors (e.g. https://help.crypto.com), we will accept reports if the vulnerability was caused due to a misconfiguration by us.\n\n# Commitments\nBy engaging in any activity under this HackerOne program:\n* **We** commit to working with you to making Crypto.com, our customers, and our products more secure\n* We commit to responding to all reports as soon as possible and in good-faith\n* We commit to honesty and transparency with you\n* We commit to evaluating all reports for bounty eligibility fairly and neutrally\n* We commit to making ourselves available upon request when reasonable to assist you\n\n\n- **You** commit to not engaging in any activities under this or any other Crypto.com-affiliated HackerOne programs as or with the assistance of a current or former employee, contractor, or vendor\n- You commit to not attempting to sabotage or disrupt any of our operations\n- You commit to following HackerOne's Code of Conduct\n- You commit to reporting potential security issues only through our Bug Bounty program\n\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Publicly Available Credentials\",\"details\":\"Crypto.com does not award reports of publicly available credentials. We will award reports for credentials that you can demonstrate were exposed due to a fault of Crypto.com.\"}","{\"category\":\"Internally Known Issues\",\"details\":\"We might not be able to provide a bounty if you report an issue that is already known internally. However, we will provide a bounty if you are able to convince us that the severity and impact is greater than previously known.\"}"],"timestamp":"2024-12-02T07:22:03.974Z"},{"id":3735810,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n* Exposed passwords that are not Crypto.com's fault\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-12T08:22:01.926Z"},{"id":3735809,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n* Exposed passwords that are not Crypto.com's fault\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-12T08:16:16.997Z"},{"id":3728741,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n* Exposed passwords that are not Crypto.com's fault\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-06T03:49:59.789Z"},{"id":3728729,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Use of AI/Deepfake technology to bypass KYC or similar scenario \n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n* Exposed passwords that are not Crypto.com's fault\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-06T01:37:20.894Z"},{"id":3723615,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n* Exposed passwords that are not Crypto.com's fault\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-17T01:53:08.475Z"},{"id":3723275,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Broken 3rd party links that are not presented as owned by us\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T08:23:04.641Z"},{"id":3723272,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T06:48:59.424Z"},{"id":3713980,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n------------------\n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n------------------\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n------------------\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n------------------\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange and other Web-based Applications\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-12T02:00:31.384Z"},{"id":3710022,"new_policy":"Crypto.com is committed to security, and recognizes the importance of security researchers in helping keep us safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Crypto.com App Security Initiative\n\nCrypto.com offers select benefits to reputable hackers to encourage and assist in responsible disclosure of vulnerabilities relating to our main mobile apps. Reputable hackers may be eligible to receive an IP whitelist exemption from our main mobile app mTLS control and $50 USDC for penetration testing assistance. You must have an existing, KYC-approved account before applying. You may sign up for our main app at https://get.mona.co on your mobile device.\n\nIf you have an existing, KYC-approved account in positive standing, 200 HackerOne reputation, and a positive HackerOne signal score, please email hackerone@crypto.com with:\n* Your main Crypto.com referral code\n* A link to your HackerOne profile\n* The IP address you would like whitelisted from mTLS\n\nApplications are reviewed in Crypto.com’s sole discretion. Data will be processed in accordance with the Crypto.com Privacy Policy (https://crypto.com/privacy).\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Card / Earn].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n------------------\n\n# Product and Feature Updates \n\nWe encourage you to keep up with our X at https://x.com/CryptoCom and our blogs at https://crypto.com/company-news and https://crypto.com/product-news to see our latest innovations.\n\n# Product and Feature Updates (Old)\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-01T23:39:22.958Z"},{"id":3709917,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Notice\nPlease note that due to the end of the holiday season, our response times might be slightly delayed.\n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Card / Earn].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-27T08:42:58.279Z"},{"id":3709914,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\n\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Card / Earn].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-27T08:42:33.619Z"},{"id":3708771,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Card / Earn].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-08T02:29:17.061Z"},{"id":3708770,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-08T02:27:24.714Z"},{"id":3708730,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* mainnet.crypto.org \n* seed-0.crypto.org\n* seed-1.crypto.org\n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing \n* Self-XSS \n* Spamming\n* Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing\n* Cache-control related issues\n* Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-07T08:42:57.528Z"},{"id":3708729,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# Holiday Promotion\nAll valid reports submitted by February 1st, 2024, may be eligible for one of the following bonuses:\n* All medium-severity or higher reports that do not require user interaction will receive a 33% bonus\n* All reports from a reporter who has not previously been awarded a bounty from Crypto.com will receive a 33% bonus\n* All reports affecting directly or indirectly our main Crypto.com App backend (https://app.mona.co) will receive a 33% bonus\n* All valid reports will receive swag\nThese bonuses can be combined. A high-severity report against https://app.mona.co that does not require interaction from a user who has not received a bounty from us will receive a 100% bonus and swag.\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* mainnet.crypto.org \n* seed-0.crypto.org\n* seed-1.crypto.org\n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Visa Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-07T08:41:52.536Z"},{"id":3700277,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* mainnet.crypto.org \n* seed-0.crypto.org\n* seed-1.crypto.org\n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) is in scope. Other non smart contracts are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-23T01:37:42.997Z"},{"id":3700276,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* mainnet.crypto.org \n* seed-0.crypto.org\n* seed-1.crypto.org\n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Only smart contract (i.e. solidity files) not part of test is in scope. Other files are out of scope.\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-23T01:26:46.669Z"},{"id":3661897,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* mainnet.crypto.org \n* seed-0.crypto.org\n* seed-1.crypto.org\n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-18T08:59:12.421Z"},{"id":3661896,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.org Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* testnet-croeseid-1.crypto.com (resolves to:)\n   * 13.228.49.234\n   * 52.74.63.250\n   * 54.251.255.108\n* mainnet.crypto.org \n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-18T08:23:52.468Z"},{"id":3661895,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.com Chain Testnet (Croseied) relevant resources:_\n* https://crypto.org/explorer/\n* https://github.com/crypto-org-chain/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* testnet-croeseid-1.crypto.com (resolves to:)\n   * 13.228.49.234\n   * 52.74.63.250\n   * 54.251.255.108\n* mainnet.crypto.org \n* seed-2.crypto.org\n* https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.org Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-18T08:22:45.446Z"},{"id":3648160,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# Program Rules\n\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n\n### In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page\n* An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n\n\n------------------\n\n# Testing Resources and Guidance\n\n\n### _Crypto.com Chain Testnet (Croseied) relevant resources:_\n* https://chain.crypto.com\n* https://github.com/crypto-com/chain-main\n* Nodes:\n   * 13.70.17.170\n   * 13.90.34.32\n   * 40.79.80.22\n* testnet-croeseid-1.crypto.com (resolves to:)\n   * 13.228.49.234\n   * 52.74.63.250\n   * 54.251.255.108\n\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain and areas we are concerned with\n\nWe are looking to find security issues affecting our blockchain protocol such as: \n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n\n------------------\n\n\n# Product and Feature Updates [regularly updated]\n\nTo keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly. \n\nFor more information about Crypto.com’s recent dev updates, you may also refer to our blog.\n\n##  _Update - 30 November 2020: “Margin Trading” service released_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n## _Update - 11 September 2020: CRO Swap added into scope_\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n**For your reported vulnerability to be eligible, you must:**\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n\n\n------------------\n\n\n# Out-of-scope Vulnerabilities\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Exchange\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n## Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Cosmos SDK\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n\n## Non-Qualifying Vulnerabilities for CRO Swap assets\n\nThe following are not eligible:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n\n\n## Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Internally known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n# Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n# Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-28T12:37:39.655Z"},{"id":3646947,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n##  _Update - 30 November 2020_\n\nCrypto.com has released a new feature called **Margin Trading service** on the crypto.com/exchange platform. \n\nThe new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.\n\n\n## _Update - 11 September 2020_\n\n### CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n### Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n### Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://thaler-testnet.crypto.com\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-17T11:35:57.321Z"},{"id":3646905,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://thaler-testnet.crypto.com\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-16T08:46:24.199Z"},{"id":3646264,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# _UPDATE 30 November 2020_\n\n## New Margin Trading service has been added to our Exchange\n\n* Promotion Period: 30 November 2020 to 14 December 2020, 12am UTC\n* Scope: https://crypto.com/exchange - Margin Trading Service\n* Bounty: **Up to $20,000 for a single issue is up for grabs** and we hope you’d be able to test out this new feature and help secure our new feature release. \n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://thaler-testnet.crypto.com\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-30T09:38:38.214Z"},{"id":3646263,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# _UPDATE 30 November 2020_\n\n## New Margin Trading service added to our Exchange\n\n* Promotion Period: 30 November 2020 to 14 December 2020, 12am UTC\n* Scope: https://crypto.com/exchange - Margin Trading Service\n* Bounty: **Up to $20,000 for a single issue is up for grabs** and we hope you’d be able to test out this new feature and help secure our new feature release. \n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://thaler-testnet.crypto.com\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-30T09:36:31.922Z"},{"id":3644679,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://thaler-testnet.crypto.com\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-03T06:34:17.738Z"},{"id":3644678,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Testnet (Croseied), you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 40.79.80.22\n  * testnet-croeseid-1.crypto.com (resolves to:)\n        * 13.228.49.234\n        * 52.74.63.250\n        * 54.251.255.108\n* _For Crypto.com Chain Devnet (Thaler), you can access the relevant resources here:_\n   * https://github.com/crypto-com/thaler \n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Nodes:\n        * 23.96.62.106\n        * 52.146.34.48\n\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-03T06:26:33.891Z"},{"id":3644639,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain Devnet, you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public DevNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 52.146.34.48\n* _For Crypto.com Chain Testnet, you can access the relevant resources here:_\n   * https://chain.crypto.com\n   * https://github.com/crypto-com/chain-main\n   * Validator Nodes:\n        * 13.70.17.170\n        * 13.90.34.32\n        * 23.96.62.106\n        * 40.79.80.22\n        * testnet-croeseid-1.crypto.com (resolves to:)\n           * 13.228.49.234\n           * 52.74.63.250\n           * 54.251.255.108\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-02T02:16:07.825Z"},{"id":3644130,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain, you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public DevNet)\n   * https://github.com/crypto-com/chain-main\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-22T07:30:04.252Z"},{"id":3642294,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# _UPDATE 11 September 2020_\n\n## CRO Swap has been added into our Scope\n\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\n* https://github.com/crypto-com/cro-staking\n* https://github.com/crypto-com/swap-contracts-periphery\n* https://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n## Eligibility of vulnerabilities for CRO Swap \n\nTo be eligible, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope for CRO swap\n\nThe following are not within the scope of the Program:\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n------------------\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n\n------------------\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n------------------\n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-11T09:14:22.103Z"},{"id":3642287,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 11 September 2020:\n\n## CRO Swap:\n## Scope:\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\nhttps://github.com/crypto-com/cro-staking\n\nhttps://github.com/crypto-com/swap-contracts-periphery\n\nhttps://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n\n## Eligibility\nTo be eligible for a reward under this Program, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope \nThe following are not within the scope of the Program:\n\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n\n# UPDATE 19 September 2019: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-11T08:10:35.879Z"},{"id":3642286,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 11 September 2020:\n\n## CRO Swap:\n## Scope:\nThis Program is limited to the vulnerabilities affecting CRO swap in the following contracts:\n\nhttps://github.com/crypto-com/cro-staking\n\nhttps://github.com/crypto-com/swap-contracts-periphery\n\nhttps://github.com/crypto-com/swap-contracts-core\n\nFor purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.\n\n\n## Eligibility\nTo be eligible for a reward under this Program, you must:\n\n* Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.\n* Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.\n* Not engage in any unlawful conduct when disclosing the bug to CRYPTO.com, including through threats, demands, or any other coercive tactics.\n* Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of CRO swap.\n* Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.\n* Be at least 18 years of age.\n\n## Out of Scope \nThe following are not within the scope of the Program:\n\n* The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;\n* Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);\n* Bugs in any third party contract or platform that interacts with CRO swap;\n* Vulnerabilities already reported and/or discovered in contracts built by third parties on CRO swap; and \n* Any already-reported bugs.\n\nVulnerabilities contingent upon the occurrence of any of the following activities also are outside the scope of this Program:\n\n* Front end bugs;\n* DDOS attack;\n* Spamming;\n* Automated tools;\n* Compromising or misusing third party systems or services.\n* Any MCO cashback gained via a typical purchase, payment or cash advance\n\n# UPDATE 19 September 2019: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n## Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n# Scope \n## In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n### Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n### Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n## Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n### Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n### Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any CRO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n* Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n## Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n## Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n## Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-11T07:59:31.317Z"},{"id":3638769,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\nWe've updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange \n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Any MCO cashback gained via a typical purchase, payment or cash advance\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n##Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-30T09:42:08.897Z"},{"id":3638433,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\nWe've updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange \n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n##Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-25T09:30:32.432Z"},{"id":3637394,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n\n# !! Promotion !!\n\nWe are excited to announce we are running a promotion on the Crypto.com EXCHANGE platform. \n\nThe promotion will run from Wednesday 17th June to Wednesday 24th June.\n\nWe are doubling the bounty reward for valid high and critical reports specifically related to the Crypto.com EXCHANGE platform:\n\nCritical: $20,000\nHigh: $10,000\n\nWe look forward to your submissions! \n\n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange \n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n##Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-16T10:02:06.338Z"},{"id":3635347,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange \n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n##Safe Harbour: \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-23T08:39:13.344Z"},{"id":3634429,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange \n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets to our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-01T05:59:55.191Z"},{"id":3634428,"new_policy":"Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 03 December 2019: Crypto.com Exchange Beta now available for testing \nCrypto.com is excited to announce the launch of its cryptocurrency exchange. Crypto.com Exchange enables users to trade digital assets on the most liquid and secure platform in the market through its web interface, trading API, and Crypto.com App.\nBlog post here: https://blog.crypto.com/crypto-com-exchange-goes-live-in-beta/\n\n_Signing up to be a Beta Tester:_\n* Please sign up to be a Beta tester here: https://crypto.com/en/exchangebeta\n* Upon sign up, access to the exchange platform will be provided\n* Please note that you are required to use the email address that you have used for testing on this program previously.\n* The Beta testing period will be from now through to the public release\n* Once the Beta testing period is over and the exchange is live to the public, any form of testing will require the user to sign up and do KYC as per any other user. This is so the pen tester can also test the resilience and look for any vulnerabilities in the signup process. \n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n* Non-Qualifying Vulnerabilities in the Crypto.com\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange Beta\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-01T05:46:30.204Z"},{"id":3628356,"new_policy":"CRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 03 December 2019: Crypto.com Exchange Beta now available for testing \nCrypto.com is excited to announce the launch of its cryptocurrency exchange. Crypto.com Exchange enables users to trade digital assets on the most liquid and secure platform in the market through its web interface, trading API, and Crypto.com App.\nBlog post here: https://blog.crypto.com/crypto-com-exchange-goes-live-in-beta/\n\n_Signing up to be a Beta Tester:_\n* Please sign up to be a Beta tester here: https://crypto.com/en/exchangebeta\n* Upon sign up, access to the exchange platform will be provided\n* Please note that you are required to use the email address that you have used for testing on this program previously.\n* The Beta testing period will be from now through to the public release\n* Once the Beta testing period is over and the exchange is live to the public, any form of testing will require the user to sign up and do KYC as per any other user. This is so the pen tester can also test the resilience and look for any vulnerabilities in the signup process. \n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n* Non-Qualifying Vulnerabilities in the Crypto.c\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain/tree/master/chain-tx-enclave\n   * Validator Nodes:\n        * 13.82.183.37:26656\n        * 13.80.64.101:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange Beta\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-15T04:52:30.296Z"},{"id":3625038,"new_policy":"CRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 03 December 2019: Crypto.com Exchange Beta now available for testing \nCrypto.com is excited to announce the launch of its cryptocurrency exchange. Crypto.com Exchange enables users to trade digital assets on the most liquid and secure platform in the market through its web interface, trading API, and Crypto.com App.\nBlog post here: https://blog.crypto.com/crypto-com-exchange-goes-live-in-beta/\n\n_Signing up to be a Beta Tester:_\n* Please sign up to be a Beta tester here: https://crypto.com/en/exchangebeta\n* Upon sign up, access to the exchange platform will be provided\n* Please note that you are required to use the email address that you have used for testing on this program previously.\n* The Beta testing period will be from now through to the public release\n* Once the Beta testing period is over and the exchange is live to the public, any form of testing will require the user to sign up and do KYC as per any other user. This is so the pen tester can also test the resilience and look for any vulnerabilities in the signup process. \n\nWe've also updated this policy page with sections that are relevant to the Crypto.com Exchange. \n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n* Non-Qualifying Vulnerabilities in the Crypto.c\n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain-tx-enclave\n   * Validator Nodes:\n        * 40.71.91.144:26656\n        * 40.71.91.141:26656\n        * 13.69.24.163:26656\n        * 40.118.7.174:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Exchange Beta\n\n* Remote Code Execution     \n* Significant manipulation of the account balance     \n* Leakage of sensitive data\n* XSS/CSRF/Clickjacking affecting sensitive actions\n* Theft of privileged information\n* Partial authentication bypass     \n* Other vulnerability with clear potential for financial or data loss\n* Other XSS (excluding Self-XSS)     \n* Other CSRF (excluding logout CSRF)\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Exchange Beta\nIn general, the following vulnerabilities will not meet the severity threshold:\n* Theoretical vulnerabilities without actual proof of concept\n* Email verification deficiencies, expiration of password reset links, and password complexity policies\n* Clickjacking/UI redressing with minimal security impact\n* Email enumeration (E.g. the ability to identify emails via password reset)\n* Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)\n* Internally known issues, duplicate issues, or issues which have already been made public\n* Tab-nabbing * Self-XSS  * Denial of service (DoS) * Spamming * Usability issues\n* Vulnerabilities only exploitable on out-of-date browsers or platforms\n* Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI\n* Reports from automated tools or scans, without exploitability demonstration\n* Vulnerabilities related to autofill web forms\n* Use of known vulnerable libraries without actual proof of concept\n* Lack of security flags in cookies\n* Issues related to unsafe SSL/TLS cipher suites or protocol version\n* Content spoofing * Cache-control related issues * Exposure of internal IP address or domains\n* Missing security headers that do not lead to direct exploitation\n* CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)\n* Vulnerabilities that require physical access to a user's device\n* Assets that do not belong to Crypto.com\n* Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-03T06:34:58.561Z"},{"id":3619634,"new_policy":"CRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain-tx-enclave\n   * Validator Nodes:\n        * 40.71.91.144:26656\n        * 40.71.91.141:26656\n        * 13.69.24.163:26656\n        * 40.118.7.174:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in [HERE](https://github.com/crypto-com/sample-chain-wallet)\n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-20T03:22:54.810Z"},{"id":3619540,"new_policy":"CRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n# UPDATE 19 September: New Crypto.com Chain assets added\nWe’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Crypto.com Chain:\n* Scope\n* Qualifying Vulnerabilities in the Crypto.com Chain\n* Non-Qualifying Vulnerabilities in the Crypto.com Chain\n\nFor more information about Crypto.com’s recent dev updates, please have a look at our [blog post here](https://blog.crypto.com/crypto-com-chain-dev-update-5/).\n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n#Scope \n##In Scope Assets: See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n* _For Crypto.com Chain (Public TestNet), you can access the relevant resources here:_\n   * https://github.com/crypto-com/chain (Crypto.com Chain Public TestNet)\n   * https://github.com/crypto-com/chain-tx-enclave\n   * Validator Nodes:\n        * 40.71.91.144:26656\n        * 40.71.91.141:26656\n        * 13.69.24.163:26656\n        * 40.118.7.174:26656\n\n###Qualifying Vulnerabilities in the Crypto.com Chain\nWe are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):\t\n* Bugs in our implementation of the cryptographic primitives\n* Remote Code Execution on any Crypto.com node and the reference wallet implementation\n* Vulnerabilities that disrupt the consensus result and performance\n* Unauthorized movement of funds, access to private keys\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,  \n   individual node, or the reference wallet implementation\n* Transaction origin spoofing\n* Vulnerabilities that affect the stability or availability of Crypto.com Chain / Explorer\n\n##Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n###Non-Qualifying Vulnerabilities in the Crypto.com Chain\n*  Vulnerabilities in Intel SGX\n* Vulnerabilities in Tendermint\n* Vulnerabilities in a dependent 3rd party library\n* Vulnerabilities in the demo wallet example in HERE \n* Missing features, missing best practices, known limitations, known bugs, e.g. \u003e⅓ Byzantine faults\n\n###Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-19T10:26:03.688Z"},{"id":3613948,"new_policy":"#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-15T03:19:48.672Z"},{"id":3611712,"new_policy":"#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T05:54:10.878Z"},{"id":3611711,"new_policy":"\n#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T05:49:49.618Z"},{"id":3610146,"new_policy":"# WE HAVE DOUBLED OUR BOUNTIES UNTIL THE 7th JUNE 2019!\n\n\n#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognises the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-24T10:13:56.418Z"},{"id":3610145,"new_policy":"# WE HAVE DOUBLED OUR BOUNTIES UNTIL THE 7th JUNE 2019!\n\n#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognises the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-24T10:13:25.636Z"},{"id":3595500,"new_policy":"#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognises the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-23T02:59:13.113Z"},{"id":3595499,"new_policy":"#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Wallet / Crypto Invest / Card].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-23T02:59:05.512Z"},{"id":3586685,"new_policy":"#**CRYPTO.com Bug Bounty Program**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the MCO APP [Wallet / Crypto Invest].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-24T08:53:43.758Z"},{"id":3586682,"new_policy":"#**CRYPTO.com Bug Bounty Program_**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the MCO APP [Wallet / Crypto Invest].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in APK.\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-24T08:41:52.476Z"},{"id":3586681,"new_policy":"#**CRYPTO.com Bug Bounty Program_**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the MCO APP [Wallet / Crypto Invest].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-24T08:41:22.798Z"},{"id":3586679,"new_policy":"#**CRYPTO.com Bug Bounty Program_**\nCRYPTO.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by CRYPTO.com are eligible for our bug bounty program, including the MCO APP [Wallet / Crypto Invest].\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the CRYPTO.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by CRYPTO.com.\nCRYPTO.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0\t| $5000-$10000|\n| High     \t\t\t| 7.0 - 8.9 | $2,500-$5000 | \n| Medium   \t\t| 4.0 - 6.9 | $600-$1500  |\n| Low      \t\t\t| 0.1 - 3.9  | $250-$600 |\n\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing  SPF/DKIM/DMARC)\n*Clickjacking/UI redressing with minimal security impact.\n* Distributed denial of service attacks (DDOS).\n* DNSSEC Misconfiguration\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that are not reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of CRYPTO.com Confidential information.\n\n##Previously Known Issues\n* CRYPTO.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* CRYPTO.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-24T08:29:15.090Z"},{"id":3583086,"new_policy":"#**Crypto.com Bug Bounty Program_**\nCrypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the MCO APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.crypto.com\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a MCO metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a MCO metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the MCO card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Distributed denial of service attacks (DDOS).\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-19T11:23:31.229Z"},{"id":3583084,"new_policy":"#**Crypto.com Bug Bounty Program_**\nCrypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Crypto.com Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Crypto.com.\nCrypto.com will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Crypto.com metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Crypto.com metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the Crypto.com card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Distributed denial of service attacks (DDOS).\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.\n\n##Previously Known Issues\n* Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Crypto.com Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-19T11:11:57.652Z"},{"id":3582561,"new_policy":"#**_Monaco Bug Bounty Program_**\nMonaco recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Monaco are eligible for our bug bounty program, including the Monaco APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Monaco Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Monaco.\nMonaco will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Monaco metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Monaco metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the Monaco card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Distributed denial of service attacks (DDOS).\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Monaco Confidential information.\n\n##Previously Known Issues\n* Monaco is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n* Monaco reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n* Monaco Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n* By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-13T15:41:36.272Z"},{"id":3581389,"new_policy":"#**_Monaco Bug Bounty Program_**\nMonaco recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Monaco are eligible for our bug bounty program, including the Monaco APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Monaco Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Monaco.\nMonaco will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Monaco metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Monaco metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the Monaco card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Distributed denial of service attacks (DDOS).\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Monaco Confidential information.\n\n##Previously Known Issues\n* Monaco is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n*Monaco reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n*Monaco Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n*By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-03T02:48:25.382Z"},{"id":3575330,"new_policy":"#**_Monaco Bug Bounty Program_**\nMonaco recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Monaco are eligible for our bug bounty program, including the Monaco APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Monaco Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Monaco.\nMonaco will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Monaco metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Monaco metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the Monaco card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Monaco Confidential information.\n\n##Previously Known Issues\n* Monaco is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\n*Monaco reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\n*Monaco Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible. \n*By submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-02T10:36:42.090Z"},{"id":3575324,"new_policy":"#**_Monaco Bug Bounty Program_**\nMonaco recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Monaco are eligible for our bug bounty program, including the Monaco APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Monaco Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Monaco.\nMonaco will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Monaco metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Monaco metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF)  | *$250 + Swag   \t\t|\n***To receive the Monaco card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Monaco Confidential information.\n\n##Previously Known Issues\n* Monaco is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\nMonaco reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-02T08:52:56.544Z"},{"id":3575323,"new_policy":"#**_Monaco Bug Bounty Program_**\nMonaco recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n_Note:_ This program is for the disclosure of software security vulnerabilities only. \n\n##Rules\n* Please do not Publicly Disclose any vulnerabilities without out our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.\n* Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.\n* Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.\n* Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.\n* In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a bug, you agree to be bound by the rules.\n\n##Scope \n###In Scope Assets See Structured Scope\n* An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n* All services provided by Monaco are eligible for our bug bounty program, including the Monaco APP Wallet and Exchange.\n* _Note:_ Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.\n* Over time, additional apps or web application may come into scope, so please check back regularly. \n* For now, only the apps listed as in scope have opted-in to the Monaco Security Rewards Program and are eligible for rewards.\n\n###Out of Scope\nThe following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n*.mona.co\n* Any other service not directly hosted or controlled by Monaco.\nMonaco will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\n##Rewards\nWe categorize bug reports into Low, Medium, High and Critical security risk vulnerabilities. Rewards are administered according to the following guidelines:\n\n###Bounty Table\n| SEVERITY \t\t| CVSS SCORE \t| REWARD \t|\n|----------\t\t|------------\t\t|--------\t\t|\n| Critical \t\t\t| 9.0 - 10.0 eg: RCE, SQL Injection, Manipulation of account balance\t\t| *$7500 + receive a Monaco metal card without lockup + Swag \t|\n| High     \t\t\t| 7.0 - 8.9 eg: XSS/CSRF/Clickjacking affecting sensitive actions, Authentication bypasses, Loss of privileged information (passwords, API keys, private keys, etc.)\t\t| *$3,000 + receive a Monaco metal card without lockup + Swag   \t|\n| Medium   \t\t| 4.0 - 6.9 eg: Partial authentication bypass, Other vulnerability with clear potential for financial loss, Loss of user personal information (addresses, phone numbers, etc)   \t\t| *$1000 + Swag   |\n| Low      \t\t\t| 0.1 - 3.9 eg: Other XSS (excluding Self-XSS) Other CSRF (excluding logout CSRF) Other best practice or defense in depth | *$250 + Swag   \t\t|\n***To receive the Monaco card and Swag we will need a postage address.\n\n_Note:_ If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.\n\nWe have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:\n* The effect of the bug.\n* The cause of the bug.\n* Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered.\nBesides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward. \n\n##Non-Qualifying Vulnerabilities in the Mobile Apps\n* Software bugs that have no security impact.\n* Shared links leaked through the system clipboard.\n* Any URIs leaked because a malicious app has permission to view URIs opened\n* Absence of certificate pinning\n* Sensitive data in URLs/request bodies when protected by TLS\n* User data stored unencrypted on external storage and private directory.\n* Lack of obfuscation is out of scope \n* auth \"app secret\" hard-coded/recoverable in apk\n* Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes\n* Lack of binary protection (anti-debugging) controls.\n* Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n* Path disclosure in the binary\n* Snapshot/Pasteboard leakage\n* Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)\n* Already known issues, e.g. issues already reported by other researchers.\n* Issues that aren’t reproducible.\n* Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.\n* Require physical connection to the device with developer-level debugging tool including but not limited to ADB.\n* Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.\n* Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking.\n* Exploit is based on a complex scenario or the probability of exploit is very low.\n* Reports based on information that is already public.\n* Reports based on information taken or obtained through illegal access of Monaco Confidential information.\n\n##Previously Known Issues\n* Monaco is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible. \n\n##Disclaimer:\nMonaco reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-02T08:13:50.179Z"}]