We consider the security of our systems a top priority. But, no matter how much effort we put into system security, vulnerabilities could still be present.
If you discover a vulnerability, we would like to know about it so we can take appropriate measures as quickly as possible. We would greatly appreciate your help in protecting our clients and systems.
Please follow the steps below:
- Please send us your your findings via the form that can be found at the bottom of this article.
- To be eligible for a bounty, you must sign up with our partner HackerOne as part of sending your submission.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation for instance screenshots about the steps that are needed to reproduce the vulnerability or which software is being used to find the vulnerability.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
- If you followed the instructions above, we will not take any legal action against you in regards to the report.
- We will handle your report with strict confidentiality, and we will not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
- As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. The minimum reward will be €50 in bitcoin.
Known/solved security issues:
The following security issues where discovered in the past, are known to us and have been solved. All these issues where examined and given the appropriate reward and cannot be reported anymore.
- The validity time of the user reset password hash never expire
- More than one unused reset password hash for one user can be active simultaneously
- Clickjacking iFrame inclusion of btcdirect.eu on another domain
- Tabnabbing links with target=“_blank” regarding external rel
- Twig code injection e-mail address registration with execution on “thank you” page.
- Rate limit password forgot functionality (ability to send multiple forgot password e-mails without limit)
- No login session expiration after password change
- No login session expiration after e-mail change
- Logging out users with POST request from external domains
- No limit on the password length, hash denial of service attack
- Session invalidation, reusing logged out session token
- OTP code bypassing (which does not actually activate phone number in our systems)
- OTP code brute-forcing
- Visible login page of nieuws.btcdirect.eu
Trivial security issues:
Security issues with the following properties will not be identified as vulnerabilities that need to be reported. If a combination of such issues creates a security vulnerability we would like to hear it. The issue will be examined and given the appropriate reward.
- General error messages regarding application or server errors
- HTTP 404 and other non-HTTP 200 error messages
- The accessibility of public files and directories (as robots.txt)
- CSRF issues on parts of the site that are available to anonymous users
- CSRF issues that have no (serious) undesirable consequences for users
- Trace HTTP functions that can be active
- SSL attacks like BEAST, BREACH, Renegotiation
- SSL Forward secrecy not used
- Anti-MIME Sniffing header X-Content-Type functions
- The lack of HTTP security headers
- The presence of HTTPS Mixed Content Scripts / error messages