[{"id":3767989,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n  \n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Issues in 3rd party app myaffiliates.\n- Issues in 3rd party support chatbox (Livechat/freshworks).\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T14:09:23.503Z"},{"id":3741129,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Issues in 3rd party app myaffiliates.\n- Issues in 3rd party support chatbox (Livechat/freshworks).\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-04T04:11:58.900Z"},{"id":3740934,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Issues in 3rd party app myaffiliates.\n- Issues in 3rd party support chatbox (Livechat/freshworks).\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-02T12:17:21.618Z"},{"id":3738213,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Issues in 3rd party app myaffiliates.\n- Issues in 3rd party support chatbox (Livechat/freshworks).\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-09T08:53:16.575Z"},{"id":3728662,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Issues in 3rd party app myaffiliates.\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-05T04:51:22.417Z"},{"id":3725851,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Only interact with accounts you own or with the explicit permission of the account holder.\n6. Do not incur loss of funds that are not your own\n7. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n8. Do not publicly disclose vulnerabilities without our explicit consent\n9. Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n10. Always be respectful when interacting with our team\n11. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n12. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n13.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n14.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n15. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n16. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T12:43:59.770Z"},{"id":3725850,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T12:29:30.471Z"},{"id":3725849,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T12:27:25.959Z"},{"id":3719695,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n- *.deriv.cloud\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps \n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://dx.deriv.com\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n- https://ct.deriv.com/  trading app by ctrader (Android app, iOS app)\n- https://academy.deriv.com/\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Clickjacking without any impact\n- Jira service desk signup public allowed on https://deriv.atlassian.net/servicedesk/customer/user/signup (its not owned by deriv)\n- XMLRPC related brute-force/enumeration/DDoS Attacks\n - Firebase DB open without sensitive information \n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-20T03:31:29.823Z"},{"id":3701864,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that change, degrade, damage, or destroy information within our systems or that may impact or affect our users.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Our CFD trading application by Devexperts: dx.deriv.com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- *.deriv.cloud\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-11T10:37:51.847Z"},{"id":3697784,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Our CFD trading application by Devexperts: dx.deriv.com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- *.deriv.cloud\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $50 |\n| Edge business      | Up to $50 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-13T04:45:42.865Z"},{"id":3688234,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- oauth.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://app.deriv.com/bot (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Our CFD trading application by Devexperts: dx.deriv.com\n- Deriv P2P: Our peer-to-peer payments app \nhttps://play.google.com/store/apps/details?id=com.deriv.dp2p\nhttps://apps.apple.com/jm/app/deriv-dp2p/id1506901451\n- Deriv GO: Our options trading app \nhttps://play.google.com/store/apps/details?id=com.deriv.app\nhttps://apps.apple.com/ug/app/deriv-go/id1550561298\n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\nhttps://play.google.com/store/apps/details?id=com.deriv.dx\nhttps://apps.apple.com/by/app/deriv-x/id1563337503\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (legacy)\n- *.deriv.cloud\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-26T10:54:00.259Z"},{"id":3688187,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- Our CFD trading application by Devexperts: dx.deriv.com\n- Deriv P2P: Our peer-to-peer payments app (Android app, iOS app)\n- Deriv GO: Our options trading app (Android app, iOS app)\n- Deriv X: Our CFD trading app by DevExperts (Android app, iOS app)\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com \n- *.deriv.cloud\n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-25T06:10:59.826Z"},{"id":3688148,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- github.com/binary-com\n- *.deriv.cloud\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com \n- https://hub.docker.com/u/deriv\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T13:36:53.377Z"},{"id":3688132,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines). If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- *.deriv.cloud\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com \n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T11:28:57.172Z"},{"id":3688131,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- *.deriv.cloud\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com \n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T10:13:51.618Z"},{"id":3688127,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n- *.deriv.cloud\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T08:47:19.967Z"},{"id":3688126,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- https://smarttrader.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T08:33:26.399Z"},{"id":3688125,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- https://app.deriv.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T08:32:44.913Z"},{"id":3688124,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T08:28:35.327Z"},{"id":3688123,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.deriv.com\n- Websocket API on deriv.com (see api.deriv.com)\n- https://bot.deriv.com/ (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/deriv-com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-24T07:55:18.630Z"},{"id":3688067,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- Websocket API on deriv.com (see api.deriv.com)\n- webtrader.binary.com\n- binary.bot (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/binary-com\n- github.com/deriv-com\n- charts.binary.com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy. https://hackerone.com/deriv/safe_harbor\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T09:31:34.990Z"},{"id":3688066,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com. Follow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\n - Abide by the terms and conditions of Deriv.com\n - Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\n - Not be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\n - You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- Websocket API on deriv.com (see api.deriv.com)\n- webtrader.binary.com\n- binary.bot (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/binary-com\n- github.com/deriv-com\n- charts.binary.com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T09:29:51.592Z"},{"id":3688065,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\nAbide by the terms and conditions of Deriv.com\nNot be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\nNot be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\nYou are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- Websocket API on deriv.com (see api.deriv.com)\n- webtrader.binary.com\n- binary.bot (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/binary-com\n- github.com/deriv-com\n- charts.binary.com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T09:29:07.996Z"},{"id":3688064,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\nAbide by the terms and conditions of Deriv.com\nNot be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\nNot be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\nYou are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- Websocket API on deriv.com (see api.deriv.com)\n- webtrader.binary.com\n- binary.bot (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/binary-com\n- github.com/deriv-com\n- charts.binary.com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T09:27:31.161Z"},{"id":3688063,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Eiligibility policy](#user-content-eligibility-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n# Eligibility to Participate\nTo participate in our Bug Bounty Program, you must:\nAbide by the terms and conditions of Deriv.com\nNot be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.\nNot be employed by Deriv or any of its affiliates or an immediate family member of a person employed by Deriv or any of its affiliates.\nYou are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. \n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- Websocket API on deriv.com (see api.deriv.com)\n- webtrader.binary.com\n- binary.bot (Deriv's trading bot functionality)\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by deriv.com)\n\n### General businesses:\n- github.com/binary-com\n- github.com/deriv-com\n- charts.binary.com\n\n### Edge businesses: \n- *.deriv.com (excluding any deriv.com subdomains not mentioned above)\n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Any issues in 3rd party apps\n- Some operation and maintenance monitoring, test pages, test environments, and open-source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,000  |\n| Edge business      | Up to $1,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $2,500 |\n| General business   | Up to $1,500 |\n| Edge business      | Up to $500 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n## Bounties for LOW Vulnerabilities\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will only reward important business issues.__**\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $100 |\n| General business   | Up to $0 |\n| Edge business      | Up to $0 |\n\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T09:24:23.913Z"},{"id":3688061,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team aims to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to deriv.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@deriv.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T08:48:12.222Z"},{"id":3688050,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n4. Do not mass create accounts, only create accounts necessary for your testing\n5. Do not incur loss of funds that are not your own\n6. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n7. Do not publicly disclose vulnerabilities without our explicit consent\n8. Always be respectful when interacting with our team\n9. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n10. The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.\n11.  If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n12.  In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n13. Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n14. Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program, however these are dependent on severity and complexity:\n- **Time to first response (from report submission)**: 2 business days\n- **Time to triage**: 2 business days\n- **Time to bounty (from triage)**: 2 business days\n\nWe will aim to  keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not publicly or privately disclose this program or any vulnerabilities (even resolved ones) outside the program without prior written consent from deriv.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T07:59:02.072Z"},{"id":3688049,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Do not mass create accounts, only create accounts necessary for your testing\n4. Do not incur loss of funds that are not your own\n5. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n6. Do not publicly disclose vulnerabilities without our explicit consent\n7. Always be respectful when interacting with our team\n8. When conducting research always follow our guidelines set out in [Test plan](#user-content-test-plan)\n9. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion\n\n# Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T07:39:04.817Z"},{"id":3688048,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Do not mass create accounts, only create accounts necessary for your testing\n4. Do not incur loss of funds that are not your own\n5. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n6. Do not publicly disclose vulnerabilities without our explicit consent\n7. Always be respectful when interacting with our team\n8. When conducting research always follow our guidelines set out in (#user-content-test-plan)\n9. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion\n\n#Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T07:37:59.964Z"},{"id":3688047,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The deriv.com security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Test plan](#user-content-test-plan)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Deriv’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. Do not mass create accounts, only create accounts necessary for your testing\n4. Do not incur loss of funds that are not your own\n5. No destructive automated testing. Under no circumstance should automated testing cause intentional damage to our systems\n6. Do not publicly disclose vulnerabilities without our explicit consent\n7. Always be respectful when interacting with our team\n8. When conducting research always follow our guidelines set out in #user-content-test-plan\n9. Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion\n\n#Test Plan\n1. In order for us to separate testing traffic from real user traffic, we ask that you include a unique HTTP header to each and every testing request. Please use format \"X-HackerOne-Research: [H1 username]\"\n2. Our assets are self sign up, please use your [username]@wearehackerone.com email alias for any accounts created on our assets\n\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-23T07:37:29.435Z"},{"id":3685025,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Binary.com Security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Binary’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. When the results of the vulnerability review are disputed, we will handle the disputes according to the principle of prioritising the reporters’ interests, and, if necessary, external parties may be invited to decide and introduce the Common Vulnerability Scoring System (CVSS) standard jointly.\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-20T11:29:53.277Z"},{"id":3656362,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Binary.com Security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Binary’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. When the results of the vulnerability review are disputed, we will handle the disputes according to the principle of prioritising the reporters’ interests, and, if necessary, external parties may be invited to decide and introduce the Common Vulnerability Scoring System (CVSS) standard jointly.\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n- Tick Trade mobile app\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Issues related to payment providers such as skrill.com, paypal.com etc.\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-09T03:57:55.977Z"},{"id":3656313,"new_policy":"The security of our products is very important to us, and we constantly strive to guarantee our users' security. The Binary.com Security team hopes to raise the comprehensive security of our products by working closely with individuals, organisations, and companies. To protect the interests of our users, we thank and reward researchers who help us improve our security.\n\n# Contents\n- [Ground rules](#user-content-ground-rules)\n- [Response targets](#user-content-response-targets)\n- [Disclosure policy](#user-content-disclosure-policy)\n- [General vulnerability assessment](#user-content-general-vulnerability-assessment)\n- [Vulnerabilities and reward structure](#user-content-vulnerabilities-and-reward-structure)\n- [Out of scope vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n- [Safe harbour](#user-content-safe-harbour)\n---\n# Ground rules\n1. Respect our users’ privacy. We oppose and condemn the actions of hackers who use vulnerability testing as an excuse, for example: \n    - exploiting vulnerabilities to steal user data \n    - intrusion into Binary’s services \n    - changing, copying, or stealing data from related system services \n2. Do not cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or that may impact our users, such as denial of service, social engineering, or spam.\n3. When the results of the vulnerability review are disputed, we will handle the disputes according to the principle of prioritising the reporters’ interests, and, if necessary, external parties may be invited to decide and introduce the Common Vulnerability Scoring System (CVSS) standard jointly.\n---\n# Response targets\nWe will make our best effort to meet the following response targets for hackers participating in our program:\n- **Time to first response (from report submission)**: 1 business day\n- **Time to triage (from report submission)**: 3 business days\n- **Time to bounty (from triage)**: 7 business days\n\nWe will keep you informed throughout the process.\n\n---\n# Disclosure policy\nDo not discuss this program or any vulnerabilities (even resolved ones) outside the program without consent from Binary.com.\nFollow HackerOne's disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with our bug bounty guidelines.\n\n---\n# General vulnerability assessment\n- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.\n- Unverified vulnerabilities reports using automated tools or scanners will be closed as N/A or spam.\n- The final assessment of each vulnerability is determined by the impact, risk, and current mitigation measures. We reserve sole discretion on final assessment decisions.   \n- If one vulnerability source causes several vulnerabilities, we will consider it as one vulnerability. For example, multiple problems caused by a certain server configuration, the same file or template, generic domain name resolution, and the like will be considered as one vulnerability.\n- In the event of duplicate submissions, we will only award the first report received (provided that it can be fully reproduced).\n- Regarding any 0-day vulnerabilities, we will only accept the report if it has been \u003e 30 days since the relevant patch release.\n- Vulnerabilities regarding information disclosure of cloud storage buckets (e.g., S3, KSS, FDS, and the like)：\n    - We will confirm internally whether the information or link should be publicly accessible/viewable.\n    - Confirmation of the valid vulnerability will be based on the sensitivity of information leakage and is at our sole discretion.\n\n---\n# Vulnerabilities and reward structure\nThe decision to grant a reward for a vulnerability report and the value of the reward is entirely within our discretion. We will reward based on the impact and severity of the reported vulnerability. Please note that web and mobile application vulnerabilities of low severity will be triaged, but not awarded with a bounty (except in cases where the impact is severe enough to be eligible for a reward).\n\n## Categorisation\n### Important businesses:\n- cashier.binary.com\n- crypto-cashier.binary.com\n- binary.com\n- Websocket API on binary.com (*.binaryws.com)\n- webtrader.binary.com\n- binary.bot\n- secure-dfadmin.binary.com\n- MetaTrader 5 (only functions handled by Binary.com)\n\n### General businesses:\n- github.com/binary-com\n- tradingview.binary.com\n- charts.binary.com\n- Tick Trade mobile app\n\n### Edge businesses: \n- *.binary.com (excluding any Binary.com subdomains not mentioned above)\n- Some operation and maintenance monitoring, test pages, test environments, and open source systems that lack access permissions\n- The list above is not exhaustive. We’ll update it according to business changes from time to time.\n\n---\n## Bounties for CRITICAL vulnerabilities\n\n| Business type      | Bounty        |\n|--------------------|---------------|\n| Important business | Up to $10,000 |\n| General business   | Up to $5,000  |\n| Edge business      | Up to $2,500  |\n\n**Examples of CRITICAL Vulnerabilities in WEB**\n- The ability to obtain sensitive user data and system permissions directly via command injection, order traversal, remote overflows, SQL injection, and the like\n- Payment vulnerabilities that could potentially lead to a critical logic error, causing loss to the company and our clients\n- The ability to exploit account-related vulnerabilities to obtain user details, bypass authentication, and the like\n\n**Examples of CRITICAL Vulnerabilities in MOBILE**\n- Severe logic vulnerabilities that could cause losses to our clients\n- Remote command execution\n- The ability to access and extract users’ data\n\n---\n## Bounties for HIGH Vulnerabilities\n\n| Business type      | Bounty       |\n|--------------------|--------------|\n| Important business | Up to $5,000 |\n| General business   | Up to $2,500 |\n| Edge business      | Up to $1,000 |\n\n**Examples of HIGH Vulnerabilities for WEB**\n- Accessing read-only back-end code and manipulate our systems\n- Accessing internal session cookies and other sensitive information\n- Bypassing verification (OTP, 2FA), log in to client accounts, extract clients’ sensitive data, and perform actions without consent\n- Causing damage to critical functions via privilege escalation (horizontal and vertical)\n- Obtaining sensitive intranet information via server-side request forgery (SSRF)\n- Manipulating trade contracts to earn profit\n\n**Examples of HIGH Vulnerabilities for MOBILE**\n- Bypassing the lock screen (where applicable)\n- Exploiting interactive logic issues that can cause loss to clients\n- Gaining remote access to clients’ sensitive information\n- Installing malicious apps on clients’ devices, gain access to their accounts, and perform actions without their consent\n\n---\n## Bounties for MEDIUM Vulnerabilities\n\n| Business type      | Bounty     |\n|--------------------|------------|\n| Important business | Up to $500 |\n| General business   | Up to $250 |\n| Edge business      | Up to $100 |\n\n**Examples of MEDIUM Vulnerabilities for WEB**\n- The ability to access a limited portion of:\n    - client’s sensitive information\n    - our back-end code\n    - internal information on GitHub\n- Attacks via: \n    - cross-site and server-side request forgery (without access to our internal network)\n    - directory traversals\n    - privilege escalation (causing damage to functional properties of our systems)\n    - reflected and stored cross-site scripting with minimum impact (including unauthorised file uploads on our servers to enable phishing)\n    - social engineering attempts (that prompt the user to perform unusual actions on our platforms)\n    - subdomain takeovers\n\n**Examples of MEDIUM Vulnerabilities for MOBILE**\n- The ability to exploit interface logic vulnerabilities to deceive our clients or to enable phishing\n- Attacks via SQL injection with the ability to access sensitive information in local applications\n\n---\n**__We will triage reports of low-severity vulnerabilities, and you will receive reputation points, but we will not reward them unless the impact is severe enough.__**\n\n**Examples of LOW Vulnerabilities for WEB**\n- Attacks via:\n    - cross-site request forgery (non-critical)\n    - ‘HTTP Host Header’ cross-site scripting\n    - mail/SMS bombing\n- The ability to access:\n    - non-sensitive information on third-party platforms like GitHub\n    - non-sensitive .svn or .git files\n     - phpinfo()\n    - temporary files and debug information\n\n**Examples of LOW Vulnerabilities for MOBILE**\n- The ability to:\n    - access low-risk back-end information\n    - exploit vulnerable app configurations\n    - exploit vulnerabilities in complex, unusual conditions\n    - hijack app upgrades\n    - load URLs arbitrarily through a component that’s exposed to phishing\n    - obtain clients’ data via social engineering\n    - obtain non-sensitive information from local apps via SQLite injection\n---\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug.\nThe following issues are considered out of scope and will be closed as N/A:\n\n### Web\n- Design flaws and best practices that do not lead to security vulnerabilities\n- Vulnerabilities that are no threat to Binary.com or other users, for example, self XSS, having a user paste - JavaScript into the browser console etc.\n- Exposure of third-party API keys with no significant security impact\n- Theoretical vulnerabilities without a working proof of concept (PoC)\n- Theoretical subdomain takeovers\n- Minimal security implications such as low impact CSRF (login/logout), low-impact UI redressing, misconfiguration that lead to CORS bypass but without any sensitive information leak\n- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure\n- Session not invalidated after logout\n- Insensitive disclosure of information such as error message, software version disclosure, IP address disclosure, etc.\n- Arbitrary file upload without any impact\n- Vulnerabilities that can only be reproduced by some low-level IE browsers\n- HTTP codes/pages, other HTTP non- codes/pages, or etc/insensitive information files\n- Public links, such as social media profile pictures, live videos, etc.\n- Reflected file download attacks\n- SSRF vulnerability that does not expose intranet server information (only DNS request without any impact)\n- Misconfigurations such as:\n    - DNS issues (e.g., MX records, SPF records, etc.)\n    - Reports of insecure SSL/TLS cyphers (unless you have a working proof of concept and not just a report from a scanner)\n    - Presence of autocomplete attribute on web forms\n    - Mixed content warnings\n    - Missing security-related HTTP headers that do not directly lead to a vulnerability\n\n### Mobile\n- Absence of certificate pinning\n- Sensitive data in URLs/request bodies when protected by TLS\n- Unencrypted user data stored on external storage (except for APP logs with sensitive information or user data for which encryption has been promised)\n- Lack of obfuscation\n- OAuth and app secrets that are hard-coded/recoverable in APK without proven impact\n- Any kind of sensitive data protected by the app’s private directory\n- App setting allowBackup: true\n- Local DoS attacks with limited impact\n- Malformed intents sent to exported components that only causes the app to crash\n- Any data leak because a malicious app has acquired the appropriate permissions\n- Runtime hacking exploits using tools like, but not limited to, Frida and Appmon\n- Exploits that are only possible in a jailbroken environment\n- Spoofing vulnerabilities\n- Attacks that are only available in lower versions of Android (\u003c 6)\n---\n# Safe harbour\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will make it known that your actions have complied with this policy.\n\nFor any questions, please contact us at security@binary.com. Thanks for keeping our business and our customers secure!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-06T06:23:53.790Z"},{"id":3629226,"new_policy":"No technology is perfect. We value working with skilled security researchers around the world to identify security issues within our products and services. \n\n# Bounty Program\nWe offer a monetary reward for reports of security vulnerabilities. Reward amounts will vary based on the severity of the reported vulnerability, and we have the sole discretion to decide who is eligible for the reward. The higher the severity, the higher the payout.\n\nUsually, we’ll reward the first researcher who reports a particular security issue, and only when we make a code or system change in response to that report. We may decide to pay more than one researcher for duplicate reports if we’re impressed by the research and the quality of the reports.\n\nWhile we may reject reports on low-impact issues on our sub-domains that are mainly third-party integrations, we’ve rewarded researchers for high-quality reports on security issues that we’ve fixed.\n\nA good quality report consists of:\n* Proof of concept (POC)\n* Suggested fixes\n* Pull requests in GitHub (if applicable)\n\n[Our front-end open-source code](https://github.com/binary-com/binary-static/)\n[developers.binary.com source code](https://github.com/binary-com/websockets)\n[Other related open-source code](https://github.com/binary-com/)\n\n# In scope\nYou may research and report on any of the following:\n* Remote Code Execution (RCE)\n* Price manipulation\n* Bypassing payment options\n* Account takeover\n* Subdomain takeover\n* Cross-site Scripting (XSS)\n* Cross-site Request Forgery (CSRF)\n* Server-Side Request Forgery (SSRF)\n* SQL Injection\n* XML External Entity Attacks (XXE)\n* Access Control Issues (Insecure Direct Object Reference issues, etc)\n* Directory traversal issues\n* Local File Disclosure (LFD)\n* Authorisation issues\n* Information leak\n\n# Out of scope\n* Presence or absence of SPF/DMARC records\n* Clickjacking on static pages\n* CSRF on forms that are available to anonymous users (e.g. the contact form)\n* Login and logout CSRF issues\n* Self XSS which are not exploitable\n* Usage of a known vulnerable library (without evidence of exploitability)\n* Vulnerabilities affecting users of outdated browsers and platforms\n* Attacks requiring physical access to a user's device\n* Presence of autocomplete attribute on web forms\n* Missing cookie flags on non-sensitive cookies\n* Disclosure of known public files or directories, (e.g. robots.txt)\n* Reports of insecure SSL/TLS ciphers (unless you have a working POC, and not just a report from a scanner)\n\nIf there is anything in the list above that you think could potentially impact our platform, don’t hesitate to report it with a good POC. We’ll reward you if we’re convinced that we need to change our code, even if it’s a minor issue. \n\nThe following is strictly prohibited and will result in a total ban:\n* Denial of service attacks\n* Spamming\n* Social engineering (including phishing) targeting Binary.com staff or contractors\n* Accessing internal Binary.com data\n* Physical intrusion attempts targeting Binary.com property or data centres\n* Usage of automated scanners\n\n### Important:\nYou are allowed to use reverse proxy tools such as Burp Suite or Zap Proxy for manual testing only. Do not automate the tools on our servers. This will result in a total ban.\n\n# Disclosure policy\nWhen you discover a security issue, let us know as soon as possible, and we’ll resolve it as quickly as we can. Do not disclose any security issues to the public.\n\nIf you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please let us know in your report.\n\nDo not overexploit any security issue and access internal data for further vulnerabilities. \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-27T07:07:34.963Z"},{"id":3590574,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nLow risk –  $100 to $200\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - $200 to$400\nReflected or Stored Cross Site Scripting , Cross-Site Request Forgery , logical bugs with potential exploitation etc.\n\nHigh risk - $400 and above\nAuthentication Bypass, SQL Injection, XXE , Remote Code Execution etc.\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct BAN.  \n\n\n# Scope\n*.binary.com\n\nWe have few sub-domains which are 3rd party integrations . So bugs on them with very low impact might get rejected .\nBut we have also paid on behalf of our third party integrations for extremely good security issues and worked along with our third party owners to get it fixed. \n\n# Out-of-scope\n•\tPresence/absence of SPF/DMARC records.\n•\tClickjacking on static pages.\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points .\n\n\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-04T14:17:44.380Z"},{"id":3578111,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nLow risk –  $100 to $200\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - $200 to$400\nReflected or Stored Cross Site Scripting , Cross-Site Request Forgery , logical bugs with potential exploitation etc.\n\nHigh risk - $400 and above\nAuthentication Bypass, SQL Injection, XXE , Remote Code Execution etc.\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct BAN.  \n\n\n# Scope\n*.binary.com\n\nWe have few sub-domains which are 3rd party integrations . So bugs on them with very low impact might get rejected .\nBut we have also paid on behalf of our third party integrations for extremely good security issues and worked along with our third party owners to get it fixed. \n\n# Out-of-scope\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points .\n\n\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-30T07:18:17.763Z"},{"id":3567231,"new_policy":"#PLEASE STICK TO THE DOMAINS AND SUB-DOMAINS THAT ARE LISTED IN THE SCOPE TO AVOID NEGATIVE POINTS\n\n#Not all 404 errors are subdomain take overs. Be wise before reporting subdomain takeovers . Like trades.binary.com \n\n#Senseless click jacking gets an N/A without explanation.\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \n\nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-22T19:39:16.421Z"},{"id":3562355,"new_policy":"#PLEASE STICK TO THE DOMAINS AND SUB-DOMAINS THAT ARE LISTED IN THE SCOPE TO AVOID NEGATIVE POINTS\n\n#Not all 404 errors are subdomain take overs. Be wise before reporting subdomain takeovers . Like trades.binary.com \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \n\nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-27T07:19:07.594Z"},{"id":3542886,"new_policy":"#PLEASE STICK TO THE DOMAINS AND SUB-DOMAINS THAT ARE LISTED IN THE SCOPE TO AVOID NEGATIVE POINTS\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \n\nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-07T12:14:18.294Z"},{"id":3418543,"new_policy":"WE HAVE UPDATED OUR POLICY (not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\n#PLEASE STICK TO THE DOMAINS AND SUB-DOMAINS THAT ARE LISTED IN THE SCOPE TO AVOID NEGATIVE POINTS\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-16T22:50:35.821Z"},{"id":2893419,"new_policy":"WE HAVE UPDATED OUR POLICY (not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\n#WE ARE NOT ACCEPTING CLICKJACKING REPORTS FOR SOME TIME AS WE ARE ON GITHUB PAGES AND GITHUB DOESN'T ALLOW US TO ADD X-FRAME HEADERS\n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-13T02:17:41.727Z"},{"id":2882147,"new_policy":"WE HAVE UPDATED OUR POLICY (not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:37:50.368Z"},{"id":2882144,"new_policy":"WE HAVE UPDATED OUR POLICY(not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains:\n-developers.binary.com, \n-static.binary.com, \n-blog.binary.com, \n-banners.binary.com,\n-tradingview.binary.com, \n-highcharts.binary.com \nAlso on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:37:20.840Z"},{"id":2882139,"new_policy":"WE HAVE UPDATED OUR POLICY(not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com also on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated or unpatched browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:30:58.901Z"},{"id":2882130,"new_policy":"WE HAVE UPDATED OUR POLICY(not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (These are non-security issues which we would still like to fix) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(These include low/negligible security impact bugs ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\n\nBounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com also on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated or unpatched browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- please feel free to report any vulnerabilities found in this code by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:27:39.755Z"},{"id":2882127,"new_policy":"WE HAVE UPDATED OUR POLICY(not much) AND ADDED SOME NEW \"IN SCOPE\" AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\nVery low risk - (They are non-security issues) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(This include low/negligible security impact ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com also on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated or unpatched browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- please feel free to report any vulnerabilities found in this code by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:22:39.356Z"},{"id":2882093,"new_policy":"WE HAVE UPDATED AND ADDED SOME NEW IN SCOPE AREAS . \n\nNo technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.\n* DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\nVery low risk - (They are non-security issues) - $10-$25 \nThis may include UI bugs, functional bugs etc. \n\nLow risk –(This include low/negligible security impact ) $25-100\nThis may include Self XSS , Security policies ,  Best practices etc. \n\nMedium risk - e.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\n\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\nNOTE:-\nIt is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct  BAN.  \n\n\n# Scope\n\nThe following issues are also out-of-scope:\n\n• Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com also on any subdomain with static pages where these issues are not exploitable.\n•\tPresence/absence of SPF/DMARC records\n•\tCSRF on forms that are available to anonymous users (e.g. the contact form)\n•\tLogin and logout CSRF issues\n•\tUse of a known-vulnerable library (without evidence of exploitability)\n•\tVulnerabilities affecting users of outdated or unpatched browsers and platforms\n•\tAttacks requiring physical access to a user's device\n•\tReports from automated tools or scanners (please refrain from doing this,  You will be banned  for this)\n•\tPresence of autocomplete attribute on web forms\n•\tMissing cookie flags on non-sensitive cookies\n•\tDisclosure of known public files or directories, (e.g. robots.txt)\n•\tReports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n•\tSocial engineering of Binary employees or contractors\n•\tAny physical attempts against Binary property or data centers\n\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE  to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that \nBinary.com's front-end code is open-sourced at \nhttps://github.com/binary-com/binary-static/, \ndevelopers.binary.com is open-sourced at\n https://github.com/binary-com/websockets, \n\nand other Binary.com-related code is open-sourced at\n https://github.com/binary-com/ \n- please feel free to report any vulnerabilities found in this code by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-09T09:08:05.373Z"},{"id":2153993,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/, developers.binary.com is open-sourced at https://github.com/binary-com/websockets, and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github. Higher bounties will be awarded to reports that include a pull-request with a suggested fix.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-10T03:15:24.976Z"},{"id":1976360,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Any reports related to HTTP headers (including clickjacking , HSTS etc) in these domains: developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/ and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-09T11:25:52.511Z"},{"id":1975944,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Any reports related to HTTP headers in these domains (developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com)\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/ and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-09T08:13:11.732Z"},{"id":1975942,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Any reports related to HTTP headers in this domains (developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com)\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/ and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-09T08:12:01.355Z"},{"id":1966120,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Login and logout CSRF issues\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/ and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-05T02:01:54.880Z"},{"id":1962874,"new_policy":"No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Bounty Program\nTo show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball-park:\n\nVery low risk - (i.e. minor issues that are not exploitable) - $10-$25\nLow risk - e.g. Open Redirection or Self Cross Site Scripting, Session bugs: $25-100\nMedium risk - r.g. Reflected or Persistent Cross Site Scripting / Cross-Site Request Forgery: $100-200\nHigh risk - e.g. Authentication Bypass / SQL Injection / XXE / Remote Code Execution: $200-1,000 \n\nBounties will only be paid if we make a code/system change in response to the report, and if the vulnerability hasn't been already reported by someone else previously.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of Binary.com staff or contractors\n* Any physical attempts against Binary.com property or data centers\n\n# Scope\nPlease test only the following sub-domains: www.binary.com, developers.binary.com, static.binary.com, blog.binary.com, banners.binary.com, tradingview.binary.com, highcharts.binary.com. All other domains should not be tested, as they resolve to third party systems where we have no access to the source code.\n\nThe following issues are also out-of-scope:\n\n- Presence/absence of SPF/DMARC records\n- CSRF on forms that are available to anonymous users (e.g. the contact form)\n- Use of a known-vulnerable library (without evidence of exploitability)\n- Vulnerabilities affecting users of outdated or unpatched browsers and platforms\n- Attacks requiring physical access to a user's device\n- Missing security headers which do not lead directly to a vulnerability\n- Missing best practices (we require evidence of a security vulnerability)\n- Self-XSS (making users attack themselves is not a security issue)\n- Reports from automated tools or scanners (please refrain from doing this)\n- Presence of autocomplete attribute on web forms\n- Missing cookie flags on non-sensitive cookies\n- Disclosure of known public files or directories, (e.g. robots.txt)\n- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)\n- Social engineering of Binary employees or contractors\n- Any physical attempts against Binary property or data centers\n\nHOWEVER, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (even if its a very minor bug) we will reward you with a bounty. Even if we do not change our code, we will mark it as WON'T FIX rather than OUT OF SCOPE to avoid discouragement with negative hackerone points :)\n\n# Open-Source code\nPlease note that Binary.com's front-end code is open-sourced at https://github.com/binary-com/binary-static/ and other Binary.com-related code is open-sourced at https://github.com/binary-com/ - please feel free to report any vulnerabilities found in this code by submitting a pull-request in github.\n\nThank you for helping keep Binary.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-04T06:44:35.352Z"}]