Coinvotecoinvote

Bug Bounty Program

Program Overview

At Coinvote.cash, we take security seriously. Our Bug Bounty Program is designed to encourage security researchers to report security vulnerabilities they discover in our platform. We believe that working with the security community is crucial for keeping our platform secure.

We invite security researchers to help us identify and fix security issues in our platform. In return, we offer rewards based on the severity and impact of the vulnerabilities reported.

Scope

The following domains and assets are in scope for our bug bounty program:

  • coinvote.cash (main website)
  • api.coinvote.cash (API endpoints)
  • admin.coinvote.cash (admin panel)
  • Mobile applications (iOS and Android)

Rewards

Rewards are determined based on the severity and impact of the vulnerability. We use the CVSS (Common Vulnerability Scoring System) to assess the severity of reported vulnerabilities.

SeverityCVSS ScoreReward Range
Critical9.0 - 10.0$1,000 - $5,000
High7.0 - 8.9$500 - $1,000
Medium4.0 - 6.9$100 - $500
Low0.1 - 3.9$50 - $100

Vulnerability Types

We are particularly interested in the following types of vulnerabilities:

  • Remote Code Execution (RCE)
  • SQL Injection
  • Authentication Bypass
  • Authorization Bypass
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Business Logic Vulnerabilities
  • Sensitive Data Exposure

Out of Scope

The following are considered out of scope for our bug bounty program:

  • Denial of Service (DoS) attacks
  • Rate limiting issues
  • Social engineering attacks
  • Physical security issues
  • Self-XSS
  • Issues requiring physical access to a user's device
  • Issues affecting outdated browsers or platforms
  • Vulnerabilities in third-party applications or websites

Reporting Process

To report a vulnerability, please follow these steps:

  1. Send an email to security@coinvote.cash with the subject line "Bug Bounty Submission"
  2. Include a detailed description of the vulnerability
  3. Provide steps to reproduce the vulnerability
  4. Include screenshots or videos if applicable
  5. Suggest a potential fix if possible

We will acknowledge receipt of your report within 24 hours and provide an initial assessment within 3 business days.

Rules and Guidelines

  • Do not disclose the vulnerability publicly before it has been fixed
  • Do not access, modify, or delete data that does not belong to you
  • Do not perform actions that could harm the reliability or integrity of our services
  • Do not use automated scanning tools without prior approval
  • Only test against accounts you own or have explicit permission to test
  • Do not attempt to access other users' data

Ready to help us improve our security?

Submit a Vulnerability