Vulnerability Disclosure Programme
EasyCrypto has a Vulnerability Disclosure Programme, based on ISO/IEC 29147:2014.
If you find any issues with EasyCrypto, our domains, APIs, or websites on easycrypto.ai, easycrypto.com.au, easycrypto.nz, easycrypto.com, you can report them to us:
- Our Security Reports form collects information about the vulnerability to help us triage your report.
- If you are unable to use the reporting form, or your disclosure is of an especially sensitive matter, email security -at - easycrypto.ai
Hall of Fame
We have received numerous reports from white hats and researchers from around the world, as well as from internal staff and penetration testers we have commissioned.
Those who have had a report accepted -- and have allowed us to publish their names -- are listed here in our Hall of Fame, most recent at top.
- Parth Narula
- sdnrat (2nd time)
- DoTV3N (2nd time)
- sdnrat
- DoTV3N
- Vineet Gurjar (4th time)
- Vineet Gurjar (3rd time)
- Vineet Gurjar (2nd time)
- Dennis Yassine
- Vineet Gurjar
- M. Arslan Kabeer
- Nikhil Rane
Triage
All reports are read and put through an industry standard way of assessing their priority.
Probability × Impact = Priority
We are interested in high impact and critical vulnerabilities. There are a lot of low quality theoretical issues that are picked up by automated scanners, but without a proof of concept these remain theoretical.
| Priority | Probability | ||||
| Impact | 1 (Low) | 2 | 3 | 4 | 5 (High) |
| 5 (High) | 5 | 10 | 15 | 20 | 25 |
| 4 | 4 | 8 | 12 | 16 | 20 |
| 3 | 3 | 6 | 9 | 12 | 15 |
| 2 | 2 | 4 | 6 | 8 | 10 |
| 1 (Low) | 1 | 2 | 3 | 4 | 5 |
A programme similar to ours that expands on many of these concepts is the Google VRP.
Bounties
Bounties may be paid out for confirmed vulnerabilities based on their Priority.
To be eligible you must be:
- a. the first person to submit a given vulnerability. (SEE NOTE)
- b. the vulnerability is considered to be a realistic security issue by our Security team
- c. you have complied with our program requirements.
NOTE: some researchers contact us by spamming our entire company demanding a payout. No. You come to the Security team first. Some submissions have lost their precedence because they were abandoned in a spam folder instead of being directed to the Security team first.
Accepted reports with a priority of 1 can qualify for a Hall of Fame entry. Bounties rise exponentially from a roughly $20USD payout for a Priority 5 report, all the way up to $2,000USD for a Priority 25 report. We will pay out in your favourite cryptocurrency. Provided you are not a resident of a sanctioned country.
Reports from our employees are welcomed but have a different payout structure.
Ledger have a very good writeup on their Bug Bounty program. It's a good read. If it isn't acceptable there, it probably isn't acceptable here either.
Contact Us
Ready to contact us? Use one of the two methods at the top of this page.
Ineligible
The following issues are often reported, however, they cannot reasonably be exploited or offer no advantage to an attacker:
- CVE-2017-5487 -- this applies to WordPress < 4.7.1; have you seen our About Us page?
If you have a novel chain of attacks that does not work without the above, then please Contact Us to describe it.