Remitano
External Program
Submit bugs directly to this organization
Remitano
Remitano recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page. Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Remitano account has been compromised, change your email password and immediately contact support via [email protected].
The Bug Bounty Program directly serves Remitano's mission by helping us be the trusted way to exchange between fiat and cryptocurrencies. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :
Remitano will make a best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Remitano.
| Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9) | |
|---|---|---|---|---|
| Class A Rewards | $10,000 | $5000 | $3000 | $1000 |
| Class B Rewards | $5,000 | $2,500 | $1,500 | $500 |
| Class C Rewards | $2,500 | $1,250 | $500 | $100 |
A report must be a valid, in scope report in order to qualify for a bounty. Remitano will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Remitano that harms Remitano or Remitano customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
Please be available to cooperate with the Remitano engineering team to provide further information on the report if needed.
In particular, we may decide that multiple reports are so closely related, or all caused by a single underlying root case, and thus consider these multiple reports as a single vulnerability and only reward once.
We categorize issues in to classes as of below:
| Class of issues | Examples | Class of consideration | ||
|---|---|---|---|---|
| Fund being stolen | 1) Reversal of crypto deposit 2) Re-processing of completed fiat or crypto withdrawal 3) Successfully by passing two factor authentication to withdraw user fiat or crypto balance | Class A - highest | ||
| Compromise customer information | 1) Be able to access to other user trading history 2) Successfully compromise a user account without access to his email, google account or facebook account | Class B - medium | ||
| Other issues | 1) Crash or delay remitano website without performing DDOS attack | Class C - low |
Note that we are not considering these as a valid security attacks:
P2P escrow - connect buyers and sellers to trade cryptos (https://remitano.com). We support P2P escrow trading on 6 currencies: BTC, ETH, USDT, XRP, LTC, BCH.
Wholesale - created for large traders (https://wholesale.remitano.com) with competitive trading fees, which is much lower than some of the largest exchanges in the world.
Swap - Swap instantly between cryptos (https://remitano.com/dashboard/wallets)
Invest - Open invest positions with altcoins with Tether USDT (or purchase directly with Fiat) (https://remitano.com/invest)
Forum - Content Management System, user can submit their own posts, our content team will review and publish user contents - (https://remitano.com/forum)
Wallet - Crypto Wallet management, we support deposit and withdrawal instantly for BTC, ETH, USDT (3 chains: Omni Tether, ERC-20 on Ethereum, TRC-20 on Tron), XRP, LTC, BCH. (https://remitano.com/dashboard/wallets)
Multi-level Referral program (https://remitano.com/r/referral)
Remitano API - Allows access to all of the features of the Remitano platform. Docs: https://developers.remitano.com
Remitano Pay - Add Remitano Payment Gateway to third party ecommerce websites (https://remitano.com/payment_gateway)
Recent releases:
04/2022: Launch nft5.io
11/2021: Launch AMM Liquidity Pool and Swap: https://remitano.com/pool
07/2021: Introduce RENEC Network mining feature https://remitano.com/remitano_pay
06/2021: Launched Remitano Payment Gateway - https://remitano.com/payment_gateway
View this document for the full list of Remitano product updates, including those from early 2020 and 2019.
Our scope is listed below in the structured scope section. Additionally, all vulnerabilities that require or are related to the following are out of scope:
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
Remitano pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.
If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Remitano cannot and does not authorize security research on other entities.
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time. The current Bug Bounty Program as described on this page is v1.1 of our Bug Bounty Program.