TheRockTrading bug bounty program

About

The Rock Trading is a platform providing services related to virtual currencies, a cryptocurrency exchange to convert euros to cryptocurrencies (and vice versa), including the conversion of cryptocurrencies to other cryptocurrencies, that operates in a fully compliant environment with the European directives and regulations. In 2011, the executive managers decided to explore new opportunities by pursuing an exciting field of the “trading” industry, the world of cryptocurrencies which was in its earliest years at that time. After a few months of testing and building a stable platform, in June (2011), the first bitcoin was successfully traded on The Rock Trading platform, making it the first and oldest European cryptocurrency exchange. Thanks to the continuous demand of our international customers, we decided to focus most of our activity on developing a reliable platform to offer European citizens a gateway to the world of cryptocurrency, in full compliance with European standards and regulations.

Our company recognizes the importance of security, privacy and community, and values the input of hackers acting in good faith to help us maintain a high standard for our users. This includes encouraging responsible vulnerability research and the disclosure of security vulnerabilities.

Submission

Send Vulnerability with the proof of concept and detailed description to support@therocktrading.com for the triage and evaluation.

Rewards

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Rewards will be paid out in Euro on TRT, this Euro are to buy crypto. (it’s not possible to withdraw directly Euro for AML compliance)

Once your submission is accepted, please provide either of the following to receive your reward. 

ROCK ID or account name of researcher account verified (KYC compliant) and submit an invoice/receipt (you can find a template for example on www.invoicesimple.com/receipt-template)

BILL TO:
The Rock Trading SPA
Corso di Porta Romana n.61 20122 Milano (MI)
Italy
P.Iva IT10983140962
C.F.04779060286

If is not possible for you to register an account on http://www.therocktrading.com contact support@therocktrading.com for the fall back payment procedure (is necessary few weeks to pay with this procedure), the standard procedure is very fast (few days).

Reward range

P5  Informational findings,  appreciated but not reward, with interesting P5 submission we can give a fee discount on the TRT Platform.  

Technical severityReward range
P1  Critical*€2000 – € 4500
P2  Severe€600 – €1500
P3  Moderate€200 – €500
P4  Low€50 – €150

* Maximum reward ( highest P1 reward) for an exceptional submission € 10000

Ratings

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

https://github.com/bugcrowd/vulnerability-rating-taxonomy

Targets

In scope

Target nameType
http://www.therocktrading.comWebsite
api.therocktrading.comAPI

Out of scope

Target nameType
support.therocktrading.comWebsite
blog.therocktrading.comWebsite
*staging.therocktrading.comWebsite/API
*testing.therocktrading.comWebsite/API

Testing is only authorized on the targets listed as In-Scope. Any domain/property of The Rock Trading not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you’ve identified a vulnerability on a system outside the scope, please reach out to sec.dept@therocktrading.com.

Access

Researchers are encouraged to self-provision accounts as needed.

Actions to avoid

  • Testing on accounts other than those that you own
  • Automated testing using tools such as scanners
  • Excessive request attempts
  • Destruction of data

Ineligible issues

  • Theoretical vulnerabilities without actual proof of concept
  • Password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • DDOS / DOS Attack Vulnerabilities or proof of concept
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Vulnerabilities that require physical access to a user’s device
  • Issues that have no security impact
  • Issues related to software not under our control.

Safe Harbor

This program is fully committed to providing safe harbor for good-faith security research.

Learn more about safe harbor at disclose.io 

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

 TRT srl – Galleria del Corso 2 – 20122 Milano, Italy – VAT: 10120840961