Vulnerability disclosure programme

Security is important for us at EasyCrypto. We care about your security, as well as our own. EasyCrypto has a Vulnerability Disclosure Programme, based on ISO/IEC 29147:2014 and we also comply with dnssecuritytxt.

If you find any issues with EasyCrypto, our domains, APIs, or websites on easycrypto.ai, easycrypto.com.au, easycrypto.nz, easycrypto.com, you can report them to us:

  • Our Security Reports form collects information about the vulnerability to help us triage your report.
  • If you are unable to use the reporting form, or your disclosure is of an especially sensitive matter, email security -at - easycrypto.ai

Hall of Fame

We have received numerous reports from white hats and researchers from around the world, as well as from internal staff and penetration testers we have commissioned.

Those who have had a report accepted -- and have allowed us to publish their names -- are listed here in our Hall of Fame, most recent at top.

  • Vineet Gurjar (3rd time)
  • Vineet Gurjar (2nd time)
  • Dennis Yassine
  • Vineet Gurjar
  • M. Arslan Kabeer

Triage

All reports are read and put through an industry-standard way of assessing their priority.

Probability × Impact = Priority

We are interested in high-impact and critical vulnerabilities. There are a lot of low-quality theoretical issues that are picked up by automated scanners, but without a proof of concept, these remain theoretical.

Probability
Impact 1 (Low) 2 3 4 5 (High)
5 (High) 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 (Low) 1 2 3 4 5
Probability × Impact = Priority Table (apologies for formatting)

A programme similar to ours that expands on many of these concepts is the Google VRP.

Bounties

Bounties may be paid out for confirmed vulnerabilities based on their Priority.

To be eligible you must be:

  • a. the first person to submit a given vulnerability. (SEE NOTE)
  • b. the vulnerability is considered to be a realistic security issue by our Security team
  • c. you have complied with our program requirements.

NOTE: some researchers contact us by spamming our entire company demanding a payout. No. You come to the Security team first. Some submissions have lost their precedence because they were abandoned in a spam folder instead of being directed to the Security team first.

Accepted reports with a priority of 1 can qualify for a Hall of Fame entry. Bounties rise exponentially from a roughly $20USD payout for a Priority 5 report, all the way up to $2,000USD for a Priority 25 report. We will pay out in your favourite cryptocurrency. Provided you are not a resident of a sanctioned country.

Reports from our employees are welcomed but have a different payout structure.

Ledger have a very good writeup on their Bug Bounty program. It's a good read. If it isn't acceptable there, it probably isn't acceptable here either.

Contact Us

Ready to contact us? Use one of the two methods at the top of this page.