CREATED BY JOHN ON 7/17/2019
click above to view developer comments to this article

Bitfi Vulnerability Disclosure Policy

Our policy and commitment to responsible and coordinated disclosure of security vulnerabilities

Disclose.ioOrganizations displaying the disclose.io logo are committing to a set of Core Terms focused on creating a safe harbor for good-faith security research. In order to uphold this commitment, such organizations are also required to provide clear definitions regarding the permitted Scope for such research, one or more Official Communication Channels, and a formal Disclosure Policy. Bitfi is committed to a safer Internet and works diligently with other security researchers and organizations to protect public and private assets.
Disclose.io




Policy Purpose


We believe that good-faith security research and responsible and coordinated disclosure of data breaches, security vulnerabilities, product vulnerabilities (CVE) are ethical, legal and in the best interest of the public (Public Good). Below we have set out our Vulnerability Disclosure and Breach Disclosure Policy along with contact information and official communication channels by which an organization or individual may contact us to disclose a vulnerability in Bitfi assets.


Policy


Bitfi recognizes that we have a responsibility to our customers and the community to be held to the highest standards due to the inherent nature of our business. The confidentiality, integrity, and availability of systems developed or maintained by Bitfi is vital to the interests of our organization and its customers.


The Bitfi security team acknowledges the valuable role that independent security researchers play in Internet security and we consider our own independent research to be a valuable contribution to Internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Bitfi is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.


Please review these terms before you test and/or report a vulnerability or engage with our security & development team. Please note that by engaging with us after an initial disclosure where this policy has been specifically referenced you are agreeing to abide by these terms and conditions and that receipt of a copy of or link to this policy constitutes your informed consent and agreement to its terms.


Safe Harbor


Bitfi pledges not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they strictly adhere to this policy.


Bitfi does not permit the following types of security research:


While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:



  • Performing actions that may negatively affect Bitfi or its users (e.g. Spam, Brute Force, Denial of Service, unthrottled fuzzing of web services…)

  • Intentionally Accessing, or attempting to access, data or information that does not belong to you for the purposes of manipulating, destroying, corrupting, modifying, disclosing, selling or attempting to manipulate, modify, destroy, corrupt, disclose, or sell data or information that does not belong to you.

  • Conducting any kind of physical, social or electronic attack on Bitfi personnel, property or data centers

  • Social engineering any Bitfi employee or contractor

  • Conducting vulnerability testing of in-scope or participating services using anything other than valid and verified developer accounts

  • Violating any laws or breaching any agreements in order to discover vulnerabilities


Scope:



  • https://bitfi.com and all sub-domains.

  • https://bitfi.dev and all sub-domains.

  • Publicly facing API’s, Service Platforms, infrastructure whether virtual or physical, data storage (Storage, Databases, EDMS) which are clearly identifiable as being hosted, managed or associated directly with the organization.

  • Publicly available software/hardware that is developed by Bitfi

  • Publicly available or discovered data related to our organization (Breached Data, OSINT, Publicly accessible content where authorization is not required for access)


Reporting a potential security vulnerability:


For a vulnerability or breach disclosure to be covered by this policy we ask that you privately share the details of the suspected vulnerability or breach with Bitfi security by sending an email to security@bitfi.com



  • Provide full details of the suspected vulnerability to the Bitfi security team so that we may validate and reproduce the issue.

  • We ask that you do not share or publicize any unresolved vulnerability with/to third parties including the media or via Social Media without our written consent.


Rewards


Should a vulnerability or breach be disclosed, Bitfi may wish to reward a researcher with monetary compensation. This is handled on a case by case basis and is subject to all local/state/federal/international tax and financial laws. Under no circumstances will Bitfi pay any ransom or other compensation for any report which attempts to extort or otherwise threatens to cause monetary, reputation, tort, civil or criminal damages to our customers, organization, employees, volunteers, contractors, and officers. Any attempt to do so will be immediately reported to the appropriate authorities including the FBI, INTERPOL, U.S. Secret Service, State, and Local law enforcement agencies and any other international law enforcement agencies where appropriate.


The Bitfi security teams commitment:


If you responsibly submit a vulnerability or breach report, the Bitfi security team and associated development and disclosure groups will use reasonable efforts to:



  • Respond in a timely manner, acknowledging receipt of your vulnerability report

  • Review, validate, and triage all reports

  • Provide an estimated time frame for addressing validated and triaged vulnerabilities identified in a report

  • Notify you when the vulnerability has been fixed

  • Review any fixes and verify that validated and reported issues have been resolved

  • Where public disclosure is deemed appropriate or necessary by Bitfi security team, coordinate with the researcher to publish the details of the vulnerability and any mitigation measures taken by Bitfi


We are happy to thank every individual researcher who submits a report helping us improve our overall security posture at Bitfi.