Effective Date: October 18, 2021
Finblox recognizes the importance and value of security researchers’ efforts in helping to keep our services safe. We encourage responsible disclosure of vulnerabilities via our public bug bounty program (“Bug Bounty Program”) described on this page.
The Bug Bounty Program scope covers all software vulnerabilities in services provided by Finblox.
Please review our Bug Bounty Program terms before submitting a report. By submitting a report, you agree to the terms herein. A valid report should clearly demonstrate a software vulnerability that harms Finblox systems or customers. A report must be valid, in scope report in order to qualify for a bounty. Finblox will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
Finblox will not initiate legal action for security research conducted in accordance with this document even with accidental violations made with good faith. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c).
If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Finblox cannot and does not authorize security research in the name of other entities. However, Finblox reserves the right to forward details of any issues discovered in relation to a third party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.
Please receive permission from our Security team (email us at [email protected]) before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Finblox considers Social Engineering attacks against Finblox employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Finblox employees will be banned from the Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
Any domain not listed is out of scope. If you have identified a security vulnerability on a target that is not in scope but demonstrates a connection with Finblox, you may report it, however, depending on the severity of the discovered vulnerability, it may or may not be eligible for rewards.
REPORTING THE VULNERABILITIES
All vulnerabilities should be reported at [email protected]. In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Finblox that harms Finblox or our customers. Finblox may reject any submission that does not meet the criteria set forth in these terms or is deemed ineligible at our sole discretion. Reports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. Along with your detailed report, please be sure to include the following:
Preferably include the CVSS v3.1 Score calculation. This will help us to assign the right priority to your report and speed up the process in general. One of the tools that can be used for the calculation: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.
REPORTS EVALUATION AND REWARD
Finblox awards bounties based on CVSS v3.1 Overall Score of the vulnerability. In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Finblox provides the below table which is based on the historical payouts:
CVSS v3.1 Overall Score
|9.0 – 10.0
|7.0 – 8.9
|4.0 – 6.9
|0.1 – 3.9
The payouts listed above are minimum bounties per Category. Bonuses in excess of the vulnerability category minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports which is determined by our sole discretion.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
Bounty Reward arrangements under this program, including but not limited to the bounty amount, a form of payments, and timing, are at Finblox’s sole discretion and will be made on a case-by-case basis.
Any participants involved in the Bug Bounty Program are responsible for any liability associated with taxation with Bounty award payments. Finblox makes no representation in regards to the tax consequences of said payments under any circumstances in this program.
HOW YOU CAN CONTACT US ABOUT BUG BOUNTY QUESTIONS
If you have questions or concerns regarding this program, you may contact us on our support page or by contacting our Security Officer at [email protected].
No minimums, no lock-ins - withdraw anytime!
Don't miss out on the rewards!
Sign up to receive updates on new features, promotions, and more!
When you transfer your digital assets through Finblox, the funds will be held initially with our custodial partner Fireblocks, the most trusted leading digital asset security infrastructure providing enterprise-grade security, insurance, and 24/7 access to digital assets.
Finblox is not a bank nor a deposit account, nor is it a depository institution, custodian, fiduciary, or any other type of asset account characterized as a banking product or service. Any information, services, and comments provided on the site are for informational and self-help purposes only and are not intended to be a substitute for professional financial advice. When you purchase crypto (Digital Assets) on the Finblox platform, your purchase will be facilitated by a third party. Finblox does not provide fiat-to-crypto onboarding.
Any services, information and/or materials contained herein may not be legally available for residents of certain jurisdictions, countries under embargoes or sanctions and/or other blacklisted countries. If such restrictions apply to you, you are prohibited from accessing the website and/or consume any services provided on this platform. You are requested to leave this website. Finblox is not available in some jurisdictions and territories, including Hong Kong.
Holding or trading digital assets could involve a substantial risk of loss, please take the time to fully understand the risks associated in our Risk Disclosure page. Insurance coverage scope is limited, limitations apply, please contact us for more details.