Responsible Disclosure


Reporting Security Issues

If you come across any issues or vulnerabilities in our systems, we would greatly appreciate your sharing this information with us as soon as possible. Major security flaws will be rewarded with a sum of bitcoins (bug bounty) or an honorable mention on our “wall of fame”. The reward amount will depend on the impact of the error, up to a maximum of 2 BTC. Rewards will only be given if you are the first to notify us of a security issue and if it results in a change in the code or configuration. It is imperative that vulnerabilities are not disclosed publicly or shared with third parties until adequate time has been given to resolve the issue. Below are some examples of security errors.

Eligible Vulnerabilities

Examples include:

Cross Site Scripting (XSS) SQL-injection Encryption issues Issues Not to Report

Some security errors are not eligible for a reward as they have a low impact on security. Examples of such security errors are listed below. Please do not report these flaws unless a combination of errors results in a security issue with a greater impact.

General error messages regarding application or server errors. HTTP 404 and other non-HTTP 200 error codes Accessibility of public files and folders (like robots.txt) CSRF-issues on parts of the site accessible to anonymous visitors CSRF-issues without (critical) consequences for users Trace HTTP functions that may be active SSL attacks like BEAST, BREACH, Renegotiation Unused SSL Forward secrecy Anti-MIME-Sniffing header X-Content-Type-functions Missing HTTP security headers Presence of HTTPS Mixed Content Scripts / errors SPF Record settings Rules

Additionally, the following rules apply:

Do not cause any damage during your investigation Do not use social engineering techniques to gain access to our systems Do not publish company or customer data Do not share access with others if you successfully penetrate our systems Do not make any changes in the system Do not access more information than strictly required Do not use brute-force techniques Do not use techniques that can affect the availability of our services Do not disclose or share vulnerabilities with third parties until they are fully resolved

Security issues can be emailed to: Please clearly describe the problem you found and the steps required to reproduce it. Include attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We will need some time to study and assess the report. You will receive a substantive response within a maximum of three working days.