Find The Bug And Get Rewarded

'Catch The Bug'
'Catch The Bug' is a bug bounty program by Droplet where the efforts of security researchers, who find and report security-related vulnerabilities in Droplet, are acknowledged and rewarded. With our bug bounty program, we aim to make Droplet the safest and most secure way to invest for long-term cryptocurrency investments. However, one of the major conditions for being rewarded is reporting the vulnerability directly to us and not disclosing it publicly. Please note that non-security issues may also be considered, provided that they are significant. All issues shall be reported through an email to [email protected] and explained in detail.
Guidelines

All researchers are expected to:

  1. Report the finding(s) by writing to us directly on [email protected]. You will receive a confirmation from us within 72 working hours.
  2. Keep the vulnerability confidential and shall report it only to us. Any form of public disclosure of the vulnerability would lead to suspension from the bug bounty program.
  3. Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  4. Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
    1. Working with you to understand and resolve the issue quickly.
    2. Suitably reward your efforts.
    3. Not pursue or support any legal action related to your research.
Scope and Range of Research
  1. Website: https://bitdroplet.com
  2. Mobile Apps: (Android, iOS)
Properties Out of Range of Research:
  1. Any subdomain not connected to https://bitdroplet.com, Android and iOS mobile apps directly.
Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Any security vulnerability related to the following would be considered under the program:

  1. Cross-site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. Server-Side Request Forgery (SSRF) SQL Injection
  4. Server-Side Remote Code Execution (RCE) XML
  5. External Entity Attacks (XXE) Access Control
  6. Issues (Insecure Direct Object Reference Issues,
  7. Privilege Escalation, etc) Exposed
  8. Administrative Panels that don't require login
  9. credentials Directory Traversal Issues Local
  10. File Disclosure (LFD) and Remote File Inclusion
  11. (RFI) Payments Manipulation Flaw in 3rd party
  12. integrations to make free orders from Droplet
  13. merchants Server-side code execution bugs
Non-Qualifying Vulnerabilities

Vulnerabilities related to following would not be considered under the program:

  1. Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing OAuth tokens. We still do want to hear about them.
  2. Reports stating that the software is out of date/vulnerable without a 'Proof of Concept'.
  3. Host header issues without an accompanying POC demonstrating vulnerability.
  4. XSS issues that affect only outdated browsers.
  5. Stack traces that disclose information.
  6. Clickjacking and issues only exploitable through clickjacking.
  7. CSV injection. Please see this article: https://goo.gl/bamS8l
  8. Best practices concerns.
  9. Highly speculative reports about theoretical damage. Be concrete.
  10. Self-XSS that can not be used to exploit other users.
  11. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  12. Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been
  13. validated.
  14. Denial of Service Attacks.
  15. Brute Force Attacks
  16. Reflected File Download (RFD).
  17. Physical or social engineering attempts (this includes phishing attacks against Droplet employees).
  18. Content injection issues.
  19. Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  20. Missing autocomplete attributes.
  21. Missing cookie flags on non-security-sensitive cookies.
  22. Issues that require physical access to a victim's computer.
  23. Missing security headers that do not present an immediate security vulnerability.
  24. Fraud Issues.
  25. Recommendations about security enhancement.
  26. SSL/TLS scan reports (this means output from sites such as SSL Labs).
  27. Banner grabbing issues (figuring out what web server we use, etc.).
  28. Open ports without an accompanying POC demonstrating vulnerability.
  29. Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
  30. Entering the Droplet offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
A Word from team Droplet

We ask the security research community to provide us with an opportunity to rectify a vulnerability. Please submit a detailed description of the issue and the steps you think that may be required to reproduce what you have observed. Please make a good effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and timely.

Rewards

The monetary rewards for every valid security bug would be based on criticality of the issue and can only be credited to your Droplet wallet in the form of cryptocurrencies . However, the minimum monetary reward is 1000 INR.

Reporting Format

If you believe you have found a security vulnerability in one of our products or platforms, please send it over at [email protected]. Make sure you include the following details in your report:

  1. Description of the location and potential impact of the vulnerability
  2. A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures would be helpful for us.