By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

Terms and Conditions

1. Participants must follow the following guidelines in order to be eligible to receive any payouts pursuant to this Program:
   • Only testing of In-Scope products detailed in the section titled “Scope” is allowed;
   • Do not disclose any issue publicly before a fix has been released;
   • Participants may at no time disrupt any Bitvavo service;
   • Participants may not access any accounts or data other than their own;
   • Do not post attachments or Proof Of Concepts (POCs) on a 3rd party website, instead participants must include them in the report;
   • Participants must comply with all applicable laws;
   • All actions must be performed strictly during participation in the Program and in adherence with this Policy; and
   • All actions must be performed as good faith security research, with the intent to report to Bitvavo
2. Safe harbor: Activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you for breach of any applicable license provisions. Note that you are still responsible for compliance with any local laws, and that this safe harbor does not extend to breach of any laws applicable to you.
3. Bitvavo reserves the right to make a determination of whether a violation of this policy is accidental or in good faith.

Introduction

We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed!

Our vulnerability disclosure program covers all our products and services under our direct control. At this moment, the following domains are included in scope:

• account.bitvavo.com
• edge.bitvavo.com
• public.bitvavo.com
• assets.bitvavo.com
• api.bitavo.com
• ws.bitvavo.com

In addition, our official mobile application (iOS and Android) are also in scope.

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Domains

• Domain listed below are not under our direct control, and are not in scope for this program. Testing against these assets will not be accepted under this program

  • blog.bitvavo.com
  • support.bitvavo.com
  • jobs.bitvavo.com

Web Applications and APIs

• API key disclosure without proven business impact
• Pre-Auth Account takeover / OAuth squatting
• Self-XSS that cannot be used to exploit other users
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags (HttpOnly, Secure, SameSite, etc.)
• Missing security-related HTTP headers (X-XSS-Protection, X-Frame-Options, etc.)
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Content injection without being able to modify the HTML
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XML-RPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Host header injection without proven business impact
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• Disclosed/misconfigured Google Maps API keys
• Open redirection at /redirect endpoint with redirect parameter and at /apps/affiliate/v1/generate-url endpoint with merchant_fallback_url parameter.

Mobile

• Local access to user data when operating a rooted mobile device.
• Attacks that require physical access to or modification of the mobile device are not in scope.

General

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Previously known vulnerable libraries without a working Proof of Concept.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Verbose messages/files/directory listings without disclosing any sensitive information

Duplicates

• Vulnerabilities that were already known to us through our own testing will be flagged as duplicate.
• Vulnerabilities that were already reported to us will be flagged as duplicate.

This program follows Intigriti's triage standards based on the proof of concept.

Where can we get credentials for the app?

We currently do not provide test user credentials. You can create your own account by registering directly through the app, but please don’t forget to use your @intigriti.me address