Details

No technology is perfect, and Bullion Exchanges believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Bounty Program

To show our appreciation of responsible security researchers, Bullion Exchanges offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Exclusions

While researching, we'd like to ask you to refrain from:

Denial of service
Spamming
Social engineering (including phishing) of Bullion Exchanges staff or contractors
Any physical attempts against Bullion Exchanges property or data centers

#Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Bullion Exchanges users is likely to be in scope for the program. Common examples include:

Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Remote Code Execution (RCE)
Unauthorized Access to Accounts
Unauthorized Access to API endpoints
Issues Affecting Account Funds

#Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition.

Please refrain from accessing private information, performing actions that may negatively affect Bullion Exchanges users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

Attacks requiring physical access to a user's device
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
Login/logout CSRF
Password and account recovery policies, such as reset link expiration or password complexity
Anything related to the blog
Missing security headers which do not lead directly to a vulnerability
Clickjacking on static websites
Content spoofing / text injection
Use of a known-vulnerable library (without evidence of exploitability)
Issues related to software or protocols not under Bullion Exchanges control
Reports from automated tools or scans
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of Bullion Exchanges staff or contractors
Any physical attempts against Bullion Exchanges property or data centers Thank you for helping keep Bullion Exchanges and our users safe!

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

Denial of service

Spamming

Social engineering (including phishing) of Bullion Exchanges staff or contractors

Any physical attempts against Bullion Exchanges property or data centers

#Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Bullion Exchanges users is likely to be in scope for the program. Common examples include:

Cross Site Scripting (XSS)

Cross Site Request Forgery (CSRF)

Remote Code Execution (RCE)

Unauthorized Access to Accounts

Unauthorized Access to API endpoints

Issues Affecting Account Funds

#Non-Qualifying Vulnerabilities

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

Attacks requiring physical access to a user's device

Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)

Password and account recovery policies, such as reset link expiration or password complexity

Anything related to the blog

Missing security headers which do not lead directly to a vulnerability

Clickjacking on static websites

Content spoofing / text injection

Use of a known-vulnerable library (without evidence of exploitability)

Issues related to software or protocols not under Bullion Exchanges control

Reports from automated tools or scans

Vulnerabilities affecting users of outdated browsers or platforms

Social engineering of Bullion Exchanges staff or contractors

Any physical attempts against Bullion Exchanges property or data centers Thank you for helping keep Bullion Exchanges and our users safe!