Bug Bounty Program

About the program

Coins.ph recognizes the importance and value of security researchers’ efforts in helping to keep our services safe. We encourage responsible disclosure of vulnerabilities via our public bug bounty program.

A valid report should clearly demonstrate a software vulnerability that harms Coins.ph systems or customers. A report must be a valid, in scope report in order to qualify for a bounty. Coins.ph will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Researcher Requirements

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

1. Providing Coins.ph a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.

2. Making a good faith effort to preserve the confidentiality and integrity of any Coins.ph customer data.

3. Not defrauding Coins.ph customers or Coins.ph itself in the process of participating in the Bug Bounty Program.

4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coins.ph.

5. Reporting vulnerabilities with no conditions, demands, or ransom threats.

Coins.ph considers Social Engineering attacks against Coins.ph employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Coins.ph employees will be banned from the Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Exclusions

• Theoretical vulnerabilities without actual proof of concept

• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

• Clickjacking/UI redressing with minimal security impact

• Internally known issues, duplicate issues, or issues which have already been made public

• Tab-nabbing

• Self-XSS

• Vulnerabilities only exploitable in old browsers or platforms (e.g. old version of browser which differs from the last stable version or outdated OS which do not receive security updates anymore)

• Lack of security flags in cookies outside of api.coins.asia domain

• Issues related to unsafe SSL/TLS cipher suites or protocol version

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Missing security headers that do not lead to direct exploitation

• CSRF with negligible security impact

• CSP Headers, X-Frame-Options, Content sniffing, HPKP, etc.

• Content or text injection issues that are mitigated by CSP Headers or any other mitigations.

- If you submit a report about a missing/incomplete header, please be absolutely sure you are correct that there is a legitimate problem.

- If you believe that one of the above is affecting a major browser in a negative way, come prepared with a working proof of concept. Reports without a proof of concept will be denied.

• Vulnerabilities that require root/jailbreak

• Vulnerabilities that require physical access to a user’s device

• Issues that have no security impact (E.g. Failure to load a web page)

• Assets that do not belong to Coins.ph

• Phishing (E.g. HTTP Basic Authentication Phishing)

• Any activity (like DoS/DDoS) that disrupts our services

• Installation Path Permissions

• Attacks requiring MITM or physical access to a user’s device.

• Missing best practices without a working Proof of Concept.

Reporting Vulnerabilities

All vulnerabilities should be reported at security@coins.ph. In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coins.ph that harms Coins.ph or our customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

Please include the CVSS v3.1 Score calculation to your report. This will help us to assign the right priority to your report and speed up the process in general. One of the tools that can be used for the calculation: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

Reports Evaluation

Coins.ph awards bounties based on CVSS v3.1 Overall Score of the vulnerability. In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coins.ph provides the below table which is based on the historical payouts:

CVSS v3.1 Overall Score // Vulnerability Category // Reward

• 9.0 - 10.0 // Critical // $5000
• 7.0 - 8.9 // High // $1000
• 4.0 - 6.9 // Medium // $500
• 0.1 - 3.9 // Low // $10

How can you contact us about bug bounty questions?

If you have questions or concerns regarding this program, you may contact us on our support page or by contacting directly our Security Officer at security@coins.ph.