To be eligible for the bug bounty, you:
- Must inform us before posting the exploit anywhere, and allow us sufficient time to patch the issue.
- Can not exploit, steal money or information from CoinJar or its customers. If the exploit requires account access, you must use your own.
- Must not defraud CoinJar or any of its customers.
If you are in doubt about anything, please email us with any questions at firstname.lastname@example.org. Provided the above rules are followed, and you operate in good faith, we will not bring legal action against you.
Any software issue that results in the loss/compromise of data or money for CoinJar or any of its customers. The most common examples are:
- Cross site scripting
- Cross site request forgery
- Remote code execution
- Click jacking
- Code injection
- Leaks of sensitive data
We can not reward bounties for things that are outside of our direct control, such as:
- Social engineering
- Physical access to hardware
- Vulnerabilities in 3rd party software (Ruby, nginx, etc)
- Denial of Service
- Usability issues
How to report
If you have an issue to report, please send an email to email@example.com. In your email, include as much detail about the exploit as possible and a Bitcoin address to send the reward to. Our Security Team will get back to you within three days.