Responsible Disclosure - Cryptoffsize

Back to Home

🤝 Thank You for Helping Us: We welcome responsible security researchers to help us maintain the security of Cryptoffsize. If you discover a vulnerability, please report it responsibly.

1. Program Overview

Cryptoffsize's Responsible Disclosure Program encourages security researchers to report vulnerabilities they discover in our Platform. We are committed to working with the security community to verify and address reported vulnerabilities promptly.

1.1 Our Commitment

When you report a vulnerability to us responsibly, we commit to:

Acknowledge: Respond to your report within 48 hours
Investigate: Thoroughly investigate the reported vulnerability
Communicate: Keep you updated on our progress
Fix: Remediate verified vulnerabilities in a timely manner
Credit: Publicly acknowledge your contribution (if desired)
Protect: Not pursue legal action for good-faith research

2. Scope

2.1 In Scope

✅ Report these vulnerabilities:

Web Application: Cryptoffsize website and web services
Authentication: Login, registration, password reset flaws
Authorization: Access control bypass, privilege escalation
Cryptography: Weak encryption, insecure key storage
Injection: SQL injection, XSS, command injection, etc.
CSRF: Cross-Site Request Forgery vulnerabilities
Session Management: Session hijacking, fixation
Data Exposure: Sensitive data leaks, information disclosure
Business Logic: Flaws in application logic
API Security: API vulnerabilities and abuse

2.2 Out of Scope

❌ Do NOT report these:

Social Engineering: Phishing, vishing, physical security
Denial of Service: DoS/DDoS attacks
Spam: Email spam or other spam activities
Physical Security: Office access, etc.
Non-Security Issues: Bugs that don't affect security
Known Issues: Vulnerabilities we've already disclosed
Theoretical Vulnerabilities: Without proof of concept
Third-Party Services: Vulnerabilities in services we don't control
Best Practice Violations: That don't lead to exploitable vulnerabilities

3. Rules of Engagement

3.1 What You Can Do

✓ Allowed

Test on Your Own Account: Create an account and test features
Automated Scanning: Use vulnerability scanners (within limits)
Proof of Concept: Create PoC to demonstrate vulnerability
Source Code Review: Review publicly available code
Public Testing: Test publicly accessible pages and APIs

3.2 What You Cannot Do

✗ Prohibited

Access Other Users' Data: Do not access, modify, or delete others' data
Disrupt Service: No DoS, DDoS, or service degradation
Social Engineering: Do not phish or manipulate users/staff
Physical Testing: No physical access attempts
Destructive Testing: No data destruction or corruption
Unauthorized Access: No accessing systems beyond the vulnerability
Public Disclosure: Do not publicly disclose before we patch
Extortion: Do not demand payment or threaten disclosure

4. How to Report

4.1 Reporting Process

Contact Us: Report via our support system with "SECURITY VULNERABILITY" in subject
Provide Details: Include all relevant information (see below)
Wait for Response: We'll acknowledge within 48 hours
Collaborate: Work with us to verify and understand the issue
Give Us Time: Allow reasonable time for remediation before disclosure

4.2 What to Include

A good vulnerability report should include:

Vulnerability Type: What kind of vulnerability (SQL injection, XSS, etc.)
Location: URL, endpoint, or specific page affected
Impact: What an attacker could do with this vulnerability
Steps to Reproduce: Detailed steps to replicate the issue
Proof of Concept: Screenshot, video, or code demonstrating the vulnerability
Suggested Fix: (Optional) How you would fix it
Your Contact Info: How we can reach you for follow-up

4.3 Report Template

Example Report Format:

Subject: [SECURITY VULNERABILITY] SQL Injection in Login Form

Vulnerability Type: SQL Injection
Severity: High
Location: https://Cryptoffsize.com/login.php
Parameter: email field

Description: The login form does not properly sanitize user input in the email field, allowing SQL injection attacks.

Steps to Reproduce:
1. Navigate to login page
2. Enter ' OR '1'='1 in email field
3. Enter any password
4. Click login
5. Observe unauthorized access

Impact: Attacker could bypass authentication and access any account.

Proof of Concept: [Screenshot or video attached]

Suggested Fix: Use prepared statements for database queries.

Reporter: Your Name (email@example.com)

5. Severity Classification

Severity	Description	Response Time
Critical	Remote code execution, authentication bypass, data breach Impact: Complete system compromise	24 hours
High	SQL injection, XSS (stored), privilege escalation Impact: Significant security breach	7 days
Medium	CSRF, information disclosure, XSS (reflected) Impact: Limited security impact	30 days
Low	Information leakage, best practice violations Impact: Minimal security impact	90 days

6. What to Expect

6.1 Response Timeline

Initial Response: Within 48 hours of report
Triage: Initial severity assessment within 5 business days
Investigation: Thorough review of the reported issue
Remediation: Fix developed and tested
Deployment: Patch deployed to production
Verification: Confirm fix resolves the vulnerability
Disclosure: Public disclosure (if applicable)

6.2 Communication

We will keep you informed throughout the process:

Acknowledge receipt of your report
Provide an initial assessment of severity
Update you on investigation progress
Notify you when the issue is fixed
Coordinate public disclosure timeline

7. Recognition & Rewards

7.1 Hall of Fame

🏆 Security Researcher Recognition: We maintain a Hall of Fame page recognizing security researchers who have helped improve our security.

We will publicly acknowledge your contribution (if you wish) including:

Your name (or handle)
Link to your website/social media (optional)
Brief description of the vulnerability (after patch)
Date reported and date fixed

7.2 Bug Bounty (Coming Soon)

We are developing a bug bounty program that will offer monetary rewards for qualified vulnerability reports:

Critical: TBD
High: TBD
Medium: TBD
Low: Recognition only

Details will be announced when the program launches.

8. Legal Protection

8.1 Safe Harbor

            ⚖️ Legal Protection: We will not pursue legal action against security researchers 
            who comply with this Responsible Disclosure Policy.
        

If you comply with this policy when reporting vulnerabilities:

We consider your research authorized
We will not pursue criminal or civil legal action
We will not report you to law enforcement
We will not pursue DMCA or CFAA claims against you

8.2 Conditions

This protection applies only if you:

Follow the rules of engagement outlined in this policy
Report vulnerabilities responsibly and promptly
Do not access, modify, or delete other users' data
Do not disrupt or degrade the service
Do not publicly disclose before we patch the vulnerability
Make a good-faith effort to avoid harm

9. Coordinated Disclosure

9.1 Disclosure Timeline

We prefer coordinated disclosure:

Report: You report the vulnerability to us privately
Fix: We fix the vulnerability
Coordinate: We work with you to agree on disclosure timing
Disclose: We publicly disclose the fixed vulnerability

9.2 Our Disclosure Policy

Timing: We aim to fix critical issues within 90 days
Notification: Notify affected users if necessary
Credit: Give you credit in our security advisory
Details: Publish technical details after fix is deployed

9.3 If We Don't Fix It

If we cannot fix a vulnerability within a reasonable timeframe, we will:

Explain why the fix is delayed
Discuss workarounds or mitigations
Agree on a revised timeline
Support responsible disclosure if warranted

10. Examples of Good Reports

10.1 SQL Injection Example

✅ Good Report:

"I discovered a SQL injection vulnerability in the transaction history page. The 'sort' parameter is not properly sanitized. By injecting SQL code, I was able to extract database schema information (attached screenshot showing table names). This could allow an attacker to extract sensitive data. Steps to reproduce and proof of concept are attached."

10.2 XSS Example

✅ Good Report:

"I found a stored XSS vulnerability in the referral code field. When a user enters a referral code containing JavaScript, it is stored without sanitization and executed when displayed on the referrals page. This could allow an attacker to steal session cookies. Video demonstrating the vulnerability is attached."

11. Questions?

11.1 Contact Us

📧 Security Team Contact:

For Vulnerability Reports:
Use the support system with subject: [SECURITY VULNERABILITY]

For General Security Questions:
Use the support system with subject: [SECURITY INQUIRY]

Response Time: 48 hours maximum

PGP Key: Available upon request for encrypted communication

11.2 Frequently Asked Questions

Q: Can I test on production?

A: Yes, but only create test accounts and do not access others' data or disrupt service.

Q: How long do I need to wait before public disclosure?

A: We prefer 90 days from report date, but we'll coordinate with you.

Q: Can I mention this in my resume/portfolio?

A: Yes, after we've patched and publicly disclosed the vulnerability.

Q: What if I accidentally accessed user data?

A: Inform us immediately, delete any accessed data, and do not proceed further.

Q: Do you accept reports from anonymous researchers?

A: Yes, but we cannot provide recognition or future bounties without contact info.

12. Thank You

🙏 Appreciation: We are grateful to the security community for helping us protect Cryptoffsize and our users. Your responsible research makes the internet safer.

Together, we can ensure Cryptoffsize remains secure for all users.

Help us build a more secure platform. Report responsibly.