ATTENTION : ALL TESTS SHOULD BE PERFORMED ON OUR TEST ENVIRONMENT : TEST.DERIBIT.COM Testing directly on www.deribit.com will make you ineligible for bounty and disallowed from further hunting.

Introduction

Deribit is the leading cryptocurrency option exchange by volume and uses the latest available technology to offer microsecond response time. We value security and availability before all so that traders can focus fully on what matters the most to them, making money. As a part of our perpetual quest for improvement and security, we highly respect and value the work of ethical hackers. We take security very seriously and strive to provide lightning fast response times to our hunters. No technology is perfect and Deribit believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web & mobile apps. Deribit continuously pushes out new code. In the event you don’t find anything today, there may be something present tomorrow! We appreciate a timely response on our testnet changes. Good luck, and happy hunting!

Disclosure Policy

• Hackers are not allowed to discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Deribit.
• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Live environment

Testing is only allowed on our test environment. Our live environment (www.deribit.com) contains a few additional features, including KYC verification and cryptocurrency deposit/withdrawal. If you wish to hunt on this features, you first need to find a valid vulnerability on our test environment. Then, you may ask for authorization through your open ticket to hunt on our live environment. Please note that due to strict regulations, Deribit is not open to trading in certain countries

Oudated components

Deribit rewards reports on vulnerable software or dependencies if the following conditions are met:

• A proof-of-concept (PoC) is provided demonstrating exploitability in our infrastructure ;
• The affected component has not been updated within a reasonable timeframe.

We will begin accepting reports once the following timeframes have elapsed since the CVE was published:

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• The live trading systems are only in scope for wallet & balance functionality as the implementation is different on test
• Ability to upgrade from an account:read_write api key to higher privilege is not considered a privilege escalation. This is intended purpose.
• Zendesk
• Newly disclosed Zero Days (refer to Oudated components) and Zero Days
• Clickjacking on Tier 2 targets
• SPF/DMARC misconfiguration
• Deribit open source projects
• Social engineering of Deribit staff or contractor
• Banner grabbing or low sensitive information disclosure
• Any hypothetical flaw or best practices without exploitable POC
• Any report generated by automatic tool without a POC
• Missing security header
• Missing best practice in SSL/TLS configuration
• Vulnerability that require root/jailbreak to exploit
• Password policy
• No rate limiting or too lax
• Wordpress CORS policy, xmlrpc, user enumeration, dos ...
• Broken link
• Attacks requiring MITM or physical access to a user's device
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Missing HttpOnly or Secure flags on cookies
• Customers credentials found on the darknet or other forums if they are not Deribit's fault
• Employees API keys that are only working on our test environment (production's one are in scope)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under his policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Deribit and our users safe!