If you’ve discovered a security-related issue with coinremitter, it’s important you let us know so we can investigate and resolve it.

Coinremitter recognizes the value external security researchers can bring to the security of our systems, and we welcome and seek to reward eligible contributions from security researchers, as outlined below.

If you believe you have found a security vulnerability on Coinremitter, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines, and scope of the program.

Security Researcher and Reporter Eligibility Criteria

All criteria must be met in order to participate in the Bug Bounty Program.

  • You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to Coinremitter's Bug Bounty program.
  • You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
  • You are not on a Government list of sanctioned individuals for any country.
  • You are not currently nor have been an employee of Coinremitter Pte Ltd, or an Coinremitter subsidiary, within 6 months prior to submitting a report.
  • You are not currently nor have been under contract to Coinremitter Pte Ltd, or an Coinremitter subsidiary, within 6 months prior to submitting a report.
  • You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in the two bullet points directly above.
  • You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding with Coinremitter.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  • You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Coinremitter does not view testing that is done in compliance with the terms and conditions of this bug bounty program as unauthorized.
  • There may be additional restrictions on your eligibility to participate in the bug bounty depending upon your local laws.
  • If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a email to support at coinremitter.com

Sensitive and Personal Information

Never attempt to access anyone else's data or personal information including by exploiting a vulnerability. Such activity is unauthorized. If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
  • Alert Coinremitter immediately and support our investigation and mitigation efforts.

Failure to comply with any of the above will immediately disqualify any report from bounty award eligibility.

Out of Scope

  • "Self" XSS
  • HTTP Host Header XSS without working proof-of-concept
  • Incomplete/Missing SPF/DKIM
  • Social Engineering attacks
  • Denial of Service attacks

Bug Bounty Awards

Eligibility for any bug bounty award and award amount determinations are made at our sole discretion. These are some general guidelines that may vary from published documentation:

  1. based on the potential impact of the security vulnerability
  2. for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
  3. if a functional mitigation or fix is proposed along with the reported vulnerability.
  4. We will award a bounty award for the first eligible report of a security vulnerability.
  5. Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
  6. We will award a bounty from $100 to $10,000 USD depending on the vulnerability type and originality, quality, and content of the report.
  7. Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.

If you have information about a security issue or vulnerability with an Coinremitter, please send an e-mail to support at coinremitter.com