Skip to content

Bitrefill Responsible Vulnerability Disclosure Policy

Introduction

At Bitrefill, we take the security of our systems and the protection of our users very seriously. Despite our ongoing efforts to enhance security, vulnerabilities may still arise. If you identify a potential security issue, we encourage you to report it responsibly.

How to Report a Vulnerability

If you believe you have discovered a vulnerability in any of Bitrefill's services, please follow these guidelines:

  1. Reach Out: Send your findings to security@bitrefill.com.
  2. Descriptive Subject Line: Use a specific and informative subject line for your email (e.g., "Vulnerability in Injection").
  3. Provide Sufficient Information: Include details that allow us to reproduce the issue, such as the affected URL and a thorough description. If the vulnerability is complex, additional information or a Proof of Concept may be helpful.
  4. One Report Per Email: To ensure clarity, please submit one vulnerability per email.
  5. Avoid Exploitation: Do not exploit the vulnerability or access data that does not belong to you. Refrain from downloading or altering data to demonstrate the issue.
  6. Maintain Confidentiality: Please do not disclose the vulnerability to third parties until we have resolved it.

Our Commitment

  • Safe Harbor: If you follow the guidelines outlined in this policy, we will regard your actions as responsible and will not pursue legal action against you in connection with your report.
  • Acknowledgment: We will confirm receipt of your report on a best effort basis.
  • Evaluation Feedback: We will assess your report and provide an expected timeline for resolution as soon as possible.
  • Confidentiality Assurance: Your report will be handled confidentially, and we will not share your personal information without your consent unless required by law.
  • Progress Updates: We will keep you informed about the status of the resolution throughout the process.
  • Recognition and Rewards: We value your contribution and offer monetary rewards for major vulnerabilities that we were previously unaware of, as well as credit on our website for lesser ones.

Out of Scope Vulnerabilities

The following types of vulnerabilities are not eligible for reporting under this policy:

  • Issues stemming from third-party services (e.g., payment processors).
  • Vulnerabilities that do not affect Bitrefill services or data.
  • User interface (UI) and user experience (UX) issues, such as typographical errors or design inconsistencies.
  • Reports generated by automated tools that lack manual validation.
  • Vulnerabilities requiring physical access to a user's device.
  • Social engineering attempts targeting Bitrefill employees or customers.
  • Vulnerabilities that necessitate user action to become vulnerable (e.g., phishing).
  • Non-exploitable vulnerabilities that do not directly impact confidentiality, integrity, or availability.
  • Weaknesses in third-party libraries or frameworks outside of Bitrefill's control.
  • Missing security headers that do not directly lead to a vulnerability.
  • Issues related to SPF/DMARC records.
  • Information disclosures that do not involve sensitive user data.
  • Denial of Service (DoS) attacks or attempts to disrupt service availability.
  • Most security issues that can be found just by running automated tools.
  • Vulnerabilities that have already been reported.
  • Vulnerabilities on external websites tied to bitrefill.com, such as blog.bitrefill.com.

Severity Ratings

  • Critical:
    • Full login bypass
    • Arbitrary code execution on production servers
    • Arbitrary query execution on production databases
    • Access to crypto wallets
  • High:
    • Support tool access
    • Private customer information leak
    • Account balance manipulation
    • Refund on delivered products
    • Product delivery without full payment
  • Medium:
    • Non-sensitive XSS or CSRF
    • Purchase limit bypass
  • Low:
    • Unexpected behavior with no information leak or privilege escalation
    • System information leak that should not be available to the general public

Additional Notes

This program is intended to foster collaboration and may be subject to change or termination at Bitrefill's discretion. Any individuals engaged in malicious activity or harassment will be disqualified from receiving rewards.

Thank you for helping us enhance the security of Bitrefill!