Bug bounty program

Bug Bounty program is limited only to technical and logical vulnerabilities that may be contained in Vivid Money applications and services.
The scope to find vulnerabilities are:

Any requests that do not fall into this scope will not be considered.
The program Bug Bounty does not address vulnerabilities that may apply to one of the following categories:
  • Spam.
  • Vulnerabilities that require social engineering/phishing.
  • Reports of phishing and other social engineering techniques.
  • DDOS attacks.
  • Hypothetical issues that do not have any practical impact.
  • Security vulnerabilities in third-party applications/libraries and on third-party websites integrated with Vivid Money.
  • Scanner output or scanner-generated reports.
  • Issues found through automated testing.
  • Publicly-released bugs in Internet software within 30 days of their disclosure.
  • Man-in-the-Middle attacks.
  • Host header injections without a specific, demonstrable impact.
  • Self-XSS without the ability to attack other users.
  • Login/logout CSRF.
  • CSRF and XSS without influencing sensitive data.
  • Bypass checking for root and jailbreak.
  • Messages about the possibility of mobile application reverse engineering.
  • Information about IP addresses, DNS records and open ports.
  • Disclosure of public information about users.
  • Clickjacking.
  • Messages about disadvantages of using SMS codes.
  • The ability to unlimited sending SMS and Email.
  • Reports of incorrect implementation of the rounding in the conversion transfers between the estimated, cumulative and brokerage accounts.
  • Lack of recommended security mechanisms without an additional attack vector without an additional attack vector (for example, HTTP security headers, cookie safety flags or CSRF protection).
  • Unsafe configured TLS or SSL without an attack vector.
  • Open Redirect without an additional attack vector (for example, token theft authorization).
  • Content Substitution on page.
  • Vulnerabilities that require the implementation of complex or improbable scenarios of user interaction.
  • Tabnabbing.
  • Full Path Disclosure.
  • Vulnerabilities, a necessary condition for the operation of which is the presence of malicious software, root rights or Jailbreak on the device.
  • Using outdated or potentially vulnerable software without an additional attack vector.
  • Disclosure of technical or insensitive information (for example, product versions or software used).

If your request does not fall into one of the listed categories, we are ready to review your vulnerability found report.
The vulnerability report should contain the following information:
  • Description of the vulnerability (score, impact, critical, etc.).
  • Аttack vector.
  • Steps of playback.
  • Analysis of criticality.
  • Recommendations for elimination.
  • Type of vulnerability.
  • Screenshots or video confirming the availability of vulnerability and demonstrating playback steps.
  • An example of a formatted query.

Important - we are determining the level of criticality, the following factors are also taken into account:
  • The level of privileges required to implement the attack.
  • Difficulty in detection and operation.
  • The presence of a requirement for interaction with the user.
  • Impact on the integrity, availability and confidentiality of the affected data.
  • Impact on business risks and reputational risks.
  • The number of users affected.

Bug bounty reports need to send to [email protected]