How can I disclose a security vulnerability to qTrade?

qTrade is a digital asset exchange, so our security is of critical importance to us and our users. Although we've made every effort to squash bugs, there is always the possibility we missed one posing a significant vulnerability. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

This bounty brief describes the rules of the qTrade's bug bounty program, as well as the eligibility of vulnerabilities and the rewards.

Disclosure Policy and Rules

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Initially report the bug only to us and not to anyone else.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party, and give us adequate written warning before disclosing it to anyone else.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Physical access to qTrade property or data centers is prohibited
• Denial of service is prohibited
• Only target your own accounts in the process of investigating the bug. Don't target, attempt to access, or otherwise disrupt the accounts of other users.

Rewards

• Rewards are based on severity per the Vulnerability Classifications provided below. Please note these are general guidelines, and that reward decisions are up to the discretion of qTrade.
• The minimum payout is $100 USD (paid in BTC) for reporting a low severity with possibility for direct exploitation.
• The maximum reward is $5000 (paid in BTC), and we may award higher amounts based on the severity or creativity of the vulnerability found. Please reference the Severity table below.
• Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

Scope

• All services provided by qTrade are eligible to our bug bounty program, including the API, Merchant Tools, and the Exchange.
• Vulnerabilities and bugs on services operated by third parties, such as our support desk, blogs, etc are currently not eligible for reward.
• High impact vulnerabilities outside of this scope might be considered on a case-by-case basis.

Ineligible issues

• Theoretical vulnerabilities without actual proof of concept
• Attacks requiring MITM or physical access to a user's device.
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Clickjacking/UI redressing with minimal security impact
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Internally known issues, duplicate issues, or issues which have already been made public
• Tab-nabbing
• Self-XSS
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Vulnerabilities related to auto-fill web forms
• Use of known vulnerable libraries without actual proof of concept
• Lack of security flags in cookies
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing
• Cache-control related issues
• Exposure of internal IP address or domains
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to a user's device
• Issues that have no security impact (E.g. Failure to load a web page)
• Assets that do not belong to qTrade
• Phishing (E.g. HTTP Basic Authentication Phishing)
• Session expiry related issues
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)

General Vulnerability Classifications

Critical

• Vulnerabilities that severely undermine trading
• Remote Code Execution on any qTrade backend service
• Vulnerabilities related to key generation, encryption, decryption, signing and verification
• Leaks of user unencrypted private keys / mnemonic / key seed
• Vulnerabilities related to user balance changes

Severe

• Vulnerabilities that undermine or disrupt trading
• Vulnerabilities that cause the qTrade backend to be unable to respond with user queries on orders, transactions, balances, market depth
• Vulnerabilities allowing a user to withdraw more than their allotted daily limit

Moderate

• Vulnerabilities that leak user information, such as session credentials
• Vulnerabilities that leak user information, such as full name and address details

Low

• Vulnerabilities that affect the stability or availability of the qTrade website

How to report a bug

• Open a support ticket with type 'Bug Report'
• Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
• Include your BTC address for payment.
• Please allow 2 business days for us to respond before sending another email.

Thank you for helping keep qTrade and its users safe!