BUG BOUNTY PROGRAM

  1. 1. General Provisions

    We are pleased to announce the launch of our Bug Bounty Program for specific software provided through www.askbtc.org.

    For the purposes of this program, we use the following definitions:

    • An error is a defect, failure or error in a computer program or system that creates an incorrect or unexpected result or behaves inadvertently.
    • Vulnerability is weakness in computer security, internal controls, design or implementation, which allows an attacker to reduce the level of system security or use it accidentally or intentionally in any way.
    • Exploit is a piece of software, a piece of data, or a series of commands that use an error or vulnerability to cause unintentional or unexpected behavior on computer software and / or hardware. This behavior often involves unrestricted control of the computer system, escalation of privileges or denial of service (DoS or associated DDoS). This term also includes expert advisors, which are developed on the basis of errors and vulnerabilities.

    In accordance with the terms of the program, we offer remuneration (remuneration) for any errors, vulnerabilities and exploits related to security (collectively, 'Errors') found on the website www.askbtc.org; Account registration service; WebREST API; AskBtc and related software; Support for AskBtc, including a website and related software, other software and related services that form the AskBtc trading system, referred to as the «reporting area».

  2. 2. Who has the right to participate in the Bug Bounty program

    You have the right to participate in this program if:

    • you are 14 years old. If you are at least 14 years of age, but you are considered a minor at the place of residence, you must obtain the permission of your parent or legal representative before participating in this Bug Bounty Program
    • you are an individual security researcher using your own capabilities
    • you are NOT an active employee of AskBtc or its subsidiaries, business partners or the closest family (parent, relative, spouse or child) of such an employee
  3. 3. Requirements for the qualification of the error for remuneration

    To qualify an error report, it must meet the following conditions:

    • if there is an error in our software or in third-party software integrated into the AskBtc trading system and falls under the list of reporting areas
    • the error is relevant to security and may affect the distribution of our and / or client funds, the security of our system, personal information or for any data
    • if the error is unknown to us, and you are the first to report it. If we receive several error reports for the same problem from different parties, the reward will be provided for the first qualified error report

    We can reject any bug report that, in our sole discretion, does not meet these criteria.

  4. 4. What problems can not be claimed for remuneration

    This program is dedicated to identifying significant errors that have a direct and obvious impact on the operation and safety of our system and the data of our customers and / or can lead to loss of our or customers' funds and / or profits, illegal enrichment of any person. We do not qualify reports that affect the operation of our system, if the customer can solve the problem on his own.

    Reports of errors and vulnerabilities in third-party software and services outside the reporting area are welcome (operating systems, libraries, browsers, plug-ins, host services, SDN, cloud software, services, CRM, forums, etc.), but they Do not correspond to general provisions. Such problems are investigated by the relevant suppliers. Nevertheless, the critical problems affecting our software, services, can be investigated by us.

    Please note that we reserve the right to decline any representation that we define, in our sole discretion, falls into any of these categories of errors, even if it is eligible for a remuneration.

  5. 5. How to send an error report

    Any error reports should be made by e-mail at: bugreport@askbtc.org

    The entire error report should be compiled in a clear and comprehensive manner and should contain at least the following:

    • Client login in AskBtc, if any
    • Reference to the reporting area
    • Detailed information about the error in question. Please use separate error reports to describe each error if the errors do not form a clear chain. Describe the vulnerability of our services or infrastructure that threatens security or privacy. Include brief stages of reproducibility that are easy to understand
    • The description of the situation to which the error refers refers to the screenshots. The error report should include all links that were clicked, visited pages, URLs, etc. Images and videos should be accompanied by a written explanation. If you are attaching a video file, it must be recorded with a resolution that allows you to read text or a URL
    • Description of the attack scenario that can use the error. We believe that this information is very important and has the greatest impact on the amount of remuneration

    The error report must be executed in a polite manner, can not contain any unsuitable language and / or other obscene content, and can not be otherwise compiled in such a way that it is understood by AskBtc and its personnel.

    If during the investigation you unintentionally committed a breach of confidentiality (for example, you have access to the information of the AskBtc user account, service configurations or other confidential information), please indicate this in your error report.

    There are no restrictions on the number of qualified error reports that can be provided and received by the applicant.

    By sending us a bug report, you agree and acknowledge that you will not disclose the content of the bug report, including the current exploit code for the applicable vulnerability, and not use it in your own account.

    If the error report meets the above requirements, you will receive an email message stating that your error report was successfully received by us.

  6. 6. How your error report is examined

    Our research team will verify all correctly submitted bug reports and confirm their eligibility. AskBtc reserves the right to determine which error report is qualified. The study time may take a while. Please note that, given the number of submitted error reports and its complexity and completeness, it may take time to examine your error report. Please, refrain from disclosing the contents of your error report or publishing it on other resources.

  7. 7. Number of awards

    The fee will be paid at own discretion of AskBtc, based on the quality and complexity of the reported error.

    The minimum amount paid for a qualified error report is $ 100 to a maximum of $ 10,000.

    The final amount is always chosen at the discretion of the research team and depends on the risk associated with the error in the matter, its impact on the relevant work of our services and other factors. In particular, we can decide to pay higher rewards for particularly critical vulnerabilities; The decision to pay lower rewards for vulnerabilities that interact with the user; The decision that several reports are so closely related to each other guarantees only one reward. The decisions taken by AskBtc are final for you.

    After the error report is verified by our research team, you can be contacted so that you can provide the necessary documents to process your award. After we receive the documents and confirmation that you are eligible to receive payment under this program, we will process the application for a fee.

  8. 8. Prohibited activities

    You should not use errors for your own or for third-party benefits, nor for damage to our trading system, software, etc.

    You must not disclose the contents of your error report or publish it on other resources.

    You should not break the law or compromise any data that is not your own, when testing an error or sending an error report.

    When investigating an error, you should focus only on your own accounts. Never try to gain access to someone else's account or data and do not commit to any actions that may be unacceptable or damaging to other AskBtc users or AskBtc itself. When researching, you should not attempt to perform the following methods: DDoS attacks, the use of black technologies for SEO spies, spam people, do not write and do not use Expert Advisors that are error-based. We also prevent the use of any vulnerability testing tools that automatically generate very large amounts of traffic.

    If our team finds out that you have committed the action specified in this paragraph, you will not be able to receive the award. If you report an error used during a current or past attack, and we have reason to suspect that you are an intruder, we reserve the right not to pay a reward.

  9. 9. Exemption from liability

    We will not take any legal action, refund or protect you from any and all obligations in relation to your activities with errors in our reporting area, provided that you and your error report must remain in accordance with the terms of this Program.

  10. 10. Legal issues

    By submitting your bug report to AskBtc, you are:

    • provide us with the following non-exclusive, irrevocable, perpetual, perpetual, worldwide license, a sub-licensed intellectual property license that may contain your error report: (i) use, analyze, evaluate, test and analyze the error report; (ii) reproduce, modify, distribute, display and publicly publish, and also commercialize and create derivative works of your presentation and all its content, in whole or in part, in connection with this program; (Iii) provide your presentation and all its content in connection with the marketing, sales or promotion of this program (including internal and external sales, conference presentations, exhibitions and screenshots of presentation in press releases) to all media (now known or developed later)
    • agree to sign any documentation that may be required for us or our designated persons to ascertain the rights you have granted above
    • you understand and admit that AskBtc can develop or run materials that are similar or identical to your presentation, and you disclaim any claims that may arise as a result of any similarities to your submission
    • acknowledge that your report is your own work and that you have not used information belonging to another person or entity
    • We can not pay compensation to persons living in countries under the sanctions of the United Nations Security Council or to countries entrusted with the Financial Action Task Force (FATF), urging its members and other jurisdictions to use countermeasures to protect the International Financial System from Current and significant money laundering and terrorist financing (ML / FT) risks arising from jurisdictions.

      You are responsible for any tax consequences, depending on the country of residence and citizenship. There may be additional restrictions on your ability to participate in our Bug Bounty Program, depending on your local legislation.

      If there is a dispute as to who is a qualified applicant, we will review the eligible applicant and notify the account holder of the email address used to register the account with AskBtc.

      We reserve the right to publish lists of error reports and a list of experts who provided useful reports on security errors. You can notify us that you want to remain anonymous to the public, but we need to know your legal name and address to pay you.

      If your error report is qualified, but you are under 14 years of age or you are considered a minor in your legal residence, we may require your parent or legal representatives to sign all necessary forms on your behalf. If you do not complete the required forms in accordance with the instructions or send the required forms within the time specified in the notification, we will not be able to complete the payment. We can not process the payment until we receive all the necessary documentation.

  11. 11. Miscellaneous

    We can cancel this Bug Bounty program at any time when we deem it necessary for any reason.

    Make sure you carefully read and understood the terms of this Bug Bounty program before sending us an error report. By sending us a bug report, you agree to these terms and conditions. If you do not want to accept these terms, do not send us an error report or otherwise participate in our Bug Bounty Program.


    Thank you for your cooperation!