Details

Coinhako looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Coinhako will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	5-10 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

While this is a public program, we do not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from us.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
By submitting a bug, you agree to be bound by the rules.

Test plan

We have some geo restrictions when sign-up new user account, we recommend you using SOCKS/Proxy or VPN to change your location to Singapore/Vietnam for sign-up new account.

Public API Tesing

Our trading platform support public API for create/delete/show orders crypto. For more information please visit Coinhako Public API.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking
Reports from automated tools or scans, without exploitability demonstration
Theoretical vulnerabilities without demonstrated security impact
Robots.txt or Sitemap.xml without demonstrated security impact
Information Disclosure FrontPage Configuration Information without demonstrated security impact
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Missing HTTP headers hardening and recommendations (Clickjacking, X-Frame-Options, CORS, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Cache poisoning
User/email enumeration
Email verification deficiencies, expiration of password reset links, and password complexity policies
Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, customer support, social media, personal domains, etc.)

Non-Qualifying Vulnerabilities in the Mobile Apps

Any CRO cashback gained via a typical purchase, payment or cash advance
Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened
Absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on external storage and private directory.
Lack of obfuscation is out of scope
auth "app secret" hard-coded/recoverable in APK.
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI redressing with minimal security impact.
Distributed denial of service attacks (DDOS).
DNSSEC Misconfiguration
Lack of binary protection (anti-debugging) controls.
Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Path disclosure in the binary
Snapshot/Pasteboard leakage
Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Require physical connection to the device with developer-level debugging tool including but not limited to ADB.
Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.
Scenarios requiring excessive user interaction or tricking users like phishing.
Exploit is based on a complex scenario or the probability of exploit is very low.
Reports based on information taken or obtained through illegal access of Coinhako.com Confidential information.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Coinhako and our users safe!

Response Targets

Coinhako will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	5-10 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.

Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.

By submitting a bug, you agree to be bound by the rules.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking

Reports from automated tools or scans, without exploitability demonstration

Theoretical vulnerabilities without demonstrated security impact

Robots.txt or Sitemap.xml without demonstrated security impact

Information Disclosure FrontPage Configuration Information without demonstrated security impact

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Rate limiting or bruteforce issues

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Missing HTTP headers hardening and recommendations (Clickjacking, X-Frame-Options, CORS, ...)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Tabnabbing

Open redirect - unless an additional security impact can be demonstrated

Issues that require unlikely user interaction

Cache poisoning

User/email enumeration

Email verification deficiencies, expiration of password reset links, and password complexity policies

Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, customer support, social media, personal domains, etc.)

Non-Qualifying Vulnerabilities in the Mobile Apps

Any CRO cashback gained via a typical purchase, payment or cash advance

Shared links leaked through the system clipboard.

Any URIs leaked because a malicious app has permission to view URIs opened

Absence of certificate pinning

Sensitive data in URLs/request bodies when protected by TLS

User data stored unencrypted on external storage and private directory.

Lack of obfuscation is out of scope

auth "app secret" hard-coded/recoverable in APK.

Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes

Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

Clickjacking/UI redressing with minimal security impact.

Distributed denial of service attacks (DDOS).

DNSSEC Misconfiguration

Lack of binary protection (anti-debugging) controls.

Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

Path disclosure in the binary

Snapshot/Pasteboard leakage

Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)

Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.

Require physical connection to the device with developer-level debugging tool including but not limited to ADB.

Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.

Scenarios requiring excessive user interaction or tricking users like phishing.

Exploit is based on a complex scenario or the probability of exploit is very low.

Reports based on information taken or obtained through illegal access of Coinhako.com Confidential information.

Safe Harbor

Thank you for helping keep Coinhako and our users safe!