We run a Bug Bounty Program to reward external contributors that bring security vulnerabilities to our attention. The details on how the program works are available below.
Responsible Disclosure Policy
You disclose responsibly if you:
- Give us a reasonable time before disclosing the vulnerability
- Make a good faith effort to not interrupt or degrade our service
- Do not defraud or harm Delta Exchange or its users during your research
- If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.
- Adhere to the Responsible Disclosure Policy above
- Do not attempt to gain access to another user’s account or information (use your own test accounts)
- Report only original and previously undisclosed bugs
- Do not disclose a bug publicly before it has been fixed
- Do not use scanners or automated tools to find bugs
- Interacting with real customers is forbidden.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
- Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
- Employees of Delta Exchange and its subsidiaries are ineligible.
- Residents of U.S. sanctioned countries (Cuba, Iran, Sudan, Syria and North Korea) are ineligible
If in doubt, please email us at [email protected]
Services in Scope
Services provided on the following domains by Delta Exchange are eligible for our Bug Bounty Program: www.delta.exchange and all Delta Exchange APIs in production. Services provided on independent (sub)domains like testnet.delta.exchange and docs.delta.exchange are not included in the bounty program, though Delta Exchange could give bounties at its sole discretion also for reports on subdomains.
Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
- Remote code execution
- Accounting errors
Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:
- Software packages not produced by Delta Exchange, e.g. WordPress and related software
- Domains hosted by third parties
- Delta Exchange-branded services operated by third parties
- Delta Exchange open source projects (see https://github.com/delta-exchange)
- Bounties are awarded at the discretion of the Delta Team
- Multiple bounties will not be awarded for variations or multiple instances of the same bug
- Duplicate entries will only be awarded to the first submission
The following guidelines give you an idea of what we usually pay out for different classes of bugs – for all things not listed below, this program follows the Bugcrowd VRT (https://bugcrowd.com/vulnerability-rating-taxonomy) for prioritizing issues.