Bug Bounty

Exo GmbH (Bitpanda) Exo .lx as Europe's leading retail exchange for buying and selling cryptocurrencies has made every effort to secure its platform and mobile applications and to eliminate all software vulnerabilities in its systems. As part of Exo 's security guidelines we appreciate your cooperation in investigating and reporting any vulnerabilities of the Exo Services (as defined below). This Bug Bounty Programme gives you the framework on how to act as a security researcher and be rewarded for finding and reporting bugs within the Exo ecosystem (Exo Bug Bounty Programme or Programme).

Scope of the Programme

This section will give you an overview of the Exo Bug Bounty Programme. Please make sure you keep the ruleset in mind before investigating any issues. Exo offers rewards for significant bugs pursuant to this Programme.Exo reserves the right to modify or cancel the Exo Bug Programme at Exo 's sole discretion and at any time.

Security Researcher

Every person participating in the Exo Bug Bounty Programme is called a “Security Researcher”. To be classified as a Security Researcher you must fully comply with this Programme. Only fully compliant “Security Researchers” may get rewards according to this Programme.

Bug Report

A Bug report is a summary of your findings concerning a detected vulnerability of Exo Services. In general, a bug report must be valid, in scope report to qualify as a bug report and, hence, to qualify for a reward. Please find the requirements for a compliant bug report under point "Complete Bug Report".

First Reporter Rule

A Security Researcher reporting an issue first is called the First Reporter. Rewards for a specific vulnerability go to the First Reporter. A subsequent bug report reporting the same or similar vulnerability will not be eligible for a reward (first come first serve principle). Provided that Exo is already aware of a specific vulnerability at the time of a submitted bug report reporting the same or similar vulnerability as already known, Exo is deemed to be the First Reporter.

Rewards

Exo grants rewards (also called bounty and/or bounties) for reporting software vulnerabilities in accordance with this Programme. Rewards may be granted if the following requirements called the “Researcher Requirements” are collectively fulfilled:

  • Responsible Investigation (description in point "Responsible Investigation");
  • Complete Bug Report (description in point "Complete Bug Report");
  • Eligibility of Vulnerability (description in point "Eligibility of Vulnerability"); and
  • Responsible Disclosure (description in point "Responsible Disclosure").

If just one of the above requirements is not fulfilled, this has to be assessed as a non-compliance with this Programme.

Exo decides at its sole and own discretion whether a reward is granted and the exact amount of such bounty. A granted reward will be paid to the Exo fiat wallet (EUR) in the Exo user account of the respective successful First Reporter. This means that a First Reporter requires a user account on the Exo platform for receiving the reward. If a Security Researcher that is qualified as a respective First Reporter is not able to set up a user account on the Exo platform (e.g. Security Researcher holds citizenship of or is located in jurisdiction that is excluded from Exo’s services due to regulatory reasons, AML/KYC considerations, etc), Exo may, at its own discretion - and out of pure good will - arrange another form of granting the Reward to the successful First Reporter. Security Reporter acknowledges and accepts, that he has no legal claim against Exo for payment of any Reward in case he is not able to set up a user account on the Exo platform.

Responsible Investigation

Every investigation must be done responsibly. Responsible investigation includes, but is not limited to:

  • Do not destroy data or disrupt or compromise Exo 's services or support third parties with such actions.
  • Do not violate the privacy or any rights of Exo 's users or support third parties with such actions.
  • Do your research in own name and for own account. Only target your personal account. The interaction with any other user account(s) is strictly forbidden, in particular, but without limitation to:
    • Targeting or an attempt to target other user accounts;
    • Any kind of disruption and or damaging of other user accounts or/and a user's rights.
  • Do not use, attempt or be involved in any kind of
    • Social Engineering
    • Spam
    • Distributed Denial of Service attacks (DDOS)
    • Attacking any kind of physical security measures

Any non-responsible investigation action will result in an exclusion of the Exo Bug Bounty Programme.

Complete Bug Report

Exo needs a documentation of the existing vulnerability. A bug report is complete, if Exo can reproduce the bug and can assess the potential impact.

How can I make sure it is complete?

  • Add as much information in your report as you can.
  • Add a complete description of the bug.
  • Point out the potential impact of the bug.
  • Provide guidance to reproduce the bug (proof of concept).
Eligibility of Vulnerability

In general, every bug in a Exo Service leading to a relevant vulnerability could be eligible for a reward. The focus lies on:

  • Leakage of data
  • Classification of endangered data
  • Compromising the security of user funds
  • Compromising the integrity of Exo 's trading system

In the following you find some examples for security issues which may be eligible for a reward in accordance with this Programme:

  • Leakage of data
  • Getting malicious access to user funds
  • Price manipulation within the platform
  • Code injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (‎CSRF)
  • Remote code execution
  • Privilege escalation
  • Clickjacking
  • Authentication bypass
  • Vulnerabilities of Non- Exo Services directly leading to a relevant impact on a Exo Service.

All vulnerabilities of Exo Services that require or are related to the following are not eligible for a bug report and/or reward and called ineligible vulnerabilities. Such ineligible vulnerabilities are in particular:

  • UX issues not relating to security impacts
  • Vulnerabilities of any third-party software or application that interact with Exo Services
  • Social engineering & identity theft actions
  • Attacking of physical security, DDOS, spamming etc.
  • Vulnerabilities of Non- Exo Services not leading to a relevant impact on a Exo Service.
  • Vulnerabilities related to outdated, unpatched browsers or operating systems
  • Vulnerabilities that not have been responsibly investigated (see point "Responsible Investigation")
  • Vulnerabilities that not have been completely reported (see point "Complete Bug Report")
  • Vulnerabilities that have been known by us or reported by someone else first. (see point "First Reporter Rule")
  • Vulnerabilities Exo can't reproduce
  • Vulnerabilities Exo can't reasonably fix or do anything about it (e.g. heartbleed bug, or bugs concerning telecommunication systems)
  • Vulnerabilities in any open-source library
  • Vulnerabilities in existing banking functionalities (e.g. credit card, wire transfers) which can lead to any kind of abuse

The eligibility of a vulnerability is assessed solely and exclusively by Exo.

Responsible Disclosure

Security Researchers must adhere to and follow the principles of “Responsible Disclosure” as outlined in the following. Responsible disclosure rules are:

  • Sharing any information of the vulnerability to any third party is prohibited.
  • The Security Researcher must provide Exo a reasonable amount of time to fix the vulnerability.
  • Defrauding Exo itself or any users of Exo Services is prohibited.
  • Allowing, enabling or supporting other parties to defraud Exo itself or any user of Exo Services is prohibited.
  • Gaining any profit for your own or allowing third parties to gain any profit from the vulnerability is prohibited (exception: the bounty pursuant to this Programme)
  • Sharing of any gained sensitive information to any other third party is prohibited.
  • Reports must be done without any demands, threats, ransoms or any other conditions
  • Security Researchers shall make sure that the integrity and confidentiality of the detected issues and any of Exo 's user data is secured and preserved
  • Any breaking or neglection of these rules will be a violation of the Exo Bug Bounty Programme.
Rewards Structure

The reward that can be expected for your bug report depends on the severity of the reported vulnerability. The table below will give you a general guideline what you can expect for your investigation efforts:


Vulnerability Reward in EUR (net)
Critical dependent on severeness of vulnerability
High 500.00
Medium 50.00
Low 5.00

The above mentioned amounts are minimum bounties for each level of vulnerability. A concrete bounty may excess the minimum amount based on the severity of the vulnerability and/or the Security Researcher's technique and reporting quality. The granted reward will be determined by the impact on the Exo Service.

Previous granted bounty amounts are not considered precedent for future bounty amounts.

Evaluation of a bug report

The evaluation of your complete bug report will be done solely by Exo. As mentioned the 4 researcher parameters stated out in point "Rewards" must be fulfilled to be evaluated as a valid bug report. The impact of the found vulnerability will determine the reward as described in point "Rewards Structure. The reported bug or vulnerability will be evaluated based on two factors: Impact and Exploitability.

To give you an idea, how this works we provide you with some easy examples.

Impact

Impact in general means the damage an abuser can cause. This refers but is not limited to financial damages, functional damages, exploitation on confidentiality, integrity and availability of sensitive information & damages which could result in reputational damages.

The scope of evaluation concerning the impact ranges from low to critical.