In Scope Vulnerabilities:
Security concerns which typically qualifies (though not necessarily in all cases) for the Bug Bounty Program include:
Please Note: Privileged information includes API keys, passwords, social security numbers, bank account numbers or equivalents.
- Remote Code Execution
- CSRF (Cross-Site Request Forgery)
- SQL Injections
- File Inclusion (Remote & Local)
- XSS (Cross-Site Scripting)
- Privilege Escalations
- Manipulation in Account Balance
- Code Executions
- Authentication Bypasses
- SSRF (Server Side Request Forgery)
- Leakage of privileged information/sensitive data
- Payment Manipulation
- Protection Mechanism Bypasses
- Directory Traversal
- Partial Authentication Bypass
- Vulnerabilities that can amount to data or financial loss
- Open redirects that may lead stolen secrets/tokens
- Administration portals that lack authentication mechanism
Out of Scope Issues:
The issues which do not come under the category of the bounty program include:
- Captcha related concerns
- Denial of Service (DoS) attacks
- Cache Poisoning
- Deficient rate limiting mechanism
- Open redirects that do not have serious impacts
- Click jacking
- Self XSS
- Application stack traces
- CSRF issues on actions with minimal impact
- Brute force attacks
- Missing SPF Records
- CSRF issues on minimal impact actions
- Security practices such as missing security header
- Third party vulnerabilities unless it affects the main site
- Vulnerabilities on spamming, social engineering, DDoS attack
- Vulnerabilities of outdated OS
- Vulnerabilities that results in MiTM (Man-in-the-Middle) attacks
- Issues that are not reproducible
- Issues that cannot be corrected.
- Bugs that are already reported to us by someone else
- Bugs reported without following the rules and regulations of Barter Trade
- Issues related to cache control
- Bugs in website or products in any acquisition for a 180 days period of 180 after any public announcement.
- Reports which affect of our system’s operation, problems that can be solved by the customer on his own.
Guidlines and Rules:
To participate in our program, please follow the given rules and guidelines:
- You can participate in this program if:
- You are at least 14 years old. If you are 14 years of age, but considered as a minor at the place of you reside, you need to obtain the permission of your parent or legal representative to participate in this Bug Bounty Program
- You are an individual security researcher using your own capabilities
- You are NOT an active employee of Barter Trade or its subsidiaries, business partners or the closest family (parent, relative, spouse or child) of such an employee
- Report their finding about any errors by writing to us directly using this form without making any information public and to other entity.
- Keep the information about the vulnerability you have discovered confidential. It is expected to the researcher do not access or destroy the others user’s data.
- Do not exploit them without any permission.
- If the same vulnerability is reported by others researchers at the same, then the reward will go to the first person who reported it earlier.
- Fill out the form when you find any bugs during the beta testing. You can reupload the form as many times as you want. Remember, it is *first come first serve* until all the rewards has been distributed to all users.
- Do not compromise any private data, degradation or interruption of any service.
- Do not modify or access the data of other users. All tests must be localized in your account only.
- Do not try to exploit DDoS/DoS vulnerabilities, spam or social engineering attacks.
- In the event that you discover chain vulnerabilities, we are liable to pay you only for the one with the highest severity.
- In case of multiple bug discoveries, only the first bug will be considered eligible for reward.
- Stay within the defined scope of the program, without breaking any preset rules.
- Do not disclose any information of vulnerabilities publicly until you are granted the right to do so.
- Do NOT send any tokens to our platform. We will provide you with tokens to beta test our platform.
- We reserve the right to publish lists of error reports and a list of experts who provided useful reports on security errors. You can notify us that you want to remain anonymous to the public, but we need to know your legal name and address to pay you.
- You should not use errors for your own or for third-party benefits, nor for damage to our trading system, software, etc.
- You must not disclose the contents of your error report or publish it on other resources.
- You should not break the law or compromise any data that is not your own, when testing an error or sending an error report.
- When investigating an error, you should focus only on your own accounts. Never try to gain access to someone else's account or data and do not commit to any actions that may be unacceptable or damaging to other Barter Trade users or Barter Trade itself.
- When researching, you should not attempt to perform the following methods: DDoS attacks, the use of black technologies for SEO spies, spam people, do not write and do not use Expert Advisors that are error-based.
- We also prevent the use of testing tools that are known to automatically generate huge traffic on the website/application.
If our team finds out that you have committed any of the actions specified above, you will not be able to receive the award. If you report an error used during a current or past attack, and we have reason to suspect that you are an intruder, we reserve the right not to pay a reward.
How is your error report examined?
Our research team will verify all correctly submitted bug reports and confirm their eligibility. Barter Trade reserves the right to determine which error report is qualified. The study time may take a while. Please note that given the number of submitted error reports and its complexity and completeness, it may take time to examine your error report. Please, refrain from disclosing the contents of your error report or publishing it on other resources.
Barter Trade reserves the full right to cancel the Bug Bounty Program at any time or for any reason it deems appropriate. Please ensure that you have carefully read and understood all the terms and conditions of this program before preparing and sending us the error report.
By sending the bug report to us, you deemed to agree to all the terms and conditions associated with this program. If you do not agree to these terms, please do not send us the error report or otherwise participate in our Bug Bounty Program.