What is Bitci Vulnerability Reporting Program?

Bitci Vulnerability Reporting Program is a program based on rewarding vulnerabilities to be found by researchers. All researchers who detect a security vulnerability in Bitci's platforms or services and report this vulnerability to us via

have the chance to win a reward.

Program Rules

• Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues.
• Only one reward per bug.
• When the same vulnerability is reported by more than one person, only the person who submits the first valid report will be eligible for the reward.
• It is forbidden to open an account with fake e-mail or identity information. At the same time, tests to be made with such memberships will not be taken into account.
• The e-mail account and phone number of the person who sent the vulnerability must be the same as the information in the BITCI account.
• The person sending the vulnerability and the person discovering the vulnerability must be the same person.
• A clear violation of the privacy of personal information or publication is prohibited.
• It is forbidden to share the found vulnerability through other platforms, websites, forums or with other people without the permission of BITCI. Identified vulnerabilities should not be shared publicly.
• BITCI employees, employees of active business partners and their first degree relatives cannot win rewards.
• You must be at least 18 years old to be eligible for the reward.
• Reports can be submitted in English through
  [email protected]
• Bug report mails will be replied within 15-30 days
• There should be no legal obstacles to get the reward.

Scope

• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerability with a clear potential loss

Actions to Avoid During Tests

Responsible investigation and reporting includes, but isn't limited to, the following:

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Only target your own accounts in the process of investigating the bug. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• Report the bug only to us and not to anyone else. In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to help.

Out of Scope

• Vulnerabilities on sites hosted by third parties (support.bitci.com, etc) unless they lead to a vulnerability on the main website. Vulnerabilities other than www.Bitci.com will not be taken into account.
• Assets that do not belong to the company
• Best practices concerns
• Recently (less than 30 days) disclosed 0day (ZeroDay) vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Reports that generated by scanners or any automated or active exploit tools
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service (DoS/DDoS)
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
• DNS issues (i.e. MX records, SPF records, DMARC records etc.);
• Certificates/TLS/SSL-related issues;
• Server configuration issues (i.e., open ports, TLS, etc.)
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without
• Being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• Manipulation with Password Reset Token
• MitM and local attacks