Dasar Bug Bounty

Paxful, Inc. (also referred to as “Paxful,” “we,” “us,” or “our”) takes steps to improve our product and provide secure solutions for our customers. In this Bug Bounty Policy (“Policy”), we describe applicable cases for our Bug Bounty Program and how it should be used in connection with your use of our website at https://paxful.com/, including, but not limited to, the Paxful Wallet, online Bitcoin trading platform, mobile application, social media pages, or other online properties (collectively, the “Website”), or when you use any of the products, services, content, features, technologies, or functions we offer (collectively, the “Services”). This Policy is designed to help you obtain information about how you can participate in our Bug Bounty Program, which secure research results are applicable, and which benefits you can receive. Please note that our Service offerings may vary by region.

Untuk semua tujuan, versi bahasa Inggeris bagi dasar bug bounty ini akan menjadi yang asal, memerintah instrumen. Dalam acara bagi sebarang konflik antara versi bahasa Inggeris bagi dasar bug bounty dan mana-mana terjemahan selepas ini ke dalam sebarang bahasa lain, versi bahasa Inggeris akan memerintah dan mengawal.

Apakah itu Program Bug Bounty?

Untuk meningkatkan Paxful dan Perkhidmatan, Program Bug Bounty memberikan peluang untuk memperoleh ganjaran kepada pengguna untuk mengenal pasti isu teknikal.

Bagaimanakah anda boleh berkomunikasi tentang penemuan Program Bug Bounty anda kepada kami?

All such communications should be directed to [email protected] In your submission please specify full description of the vulnerability and verifiable proof that the vulnerability exists (explanation / steps to reproduce / screenshots / videos / scripts or such other materials).

Program Rules

Violation of any of these rules can result in ineligibility for a bounty.

  • Test vulnerabilities only against an account that you own or accounts that you have consent from the account holder to test against.
  • Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
  • If sensitive information such as personal information, credentials, etc.. is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery.
  • Researchers may not, and are not authorised to engage in any activity that would be disruptive, damaging or harmful to Paxful.
  • Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Paxful employees), or otherwise share vulnerabilities with a third party, without Paxful's express permission.

Bagaimanakah kami menilai isu yang dikenal pasti di bawah Program Bug Bounty?

Semua penemuan dinilai menggunakan pendekatan berdasarkan risiko.

Perjanjian Tak Dedah

Sebelum kita mula membincangkan sebarang butiran yang berkaitan untuk mengesahkan isu yang telah anda kenal pasti di bawah Program Bug Bounty, termasuk pampasan, dsb., anda diminta untuk masuk ke dalam Perjanjian Tak Dedah bersama kami.

Bagaimanakah kami membayar ganjaran Program Bug Bounty?

Semua ganjaran seperti itu dibayar oleh Paxful. Semua ganjaran boleh dibayar hanya jika ia bukan kebalikan kepada undang-undang dan peraturan yang terpakai, termasuk tetapi tidak terhad kepada isbat perdagangan dan sekatan ekonomi.

Berapa lamakah kami akan mengambil masa untuk menganalisa penemuan Program Bug Bounty?

Disebabkan sifat isu teknikal yang berbeza dan rumit, kami tidak mewujudkan garis masa yang tertentu untuk menganalisa penemuan di bawah Program Bug Bounty. Analisa kami hanya akan selesai setelah kami mengesahkan kewujudan atau ketakhadiran kerentanan.

Apakah kes yang tidak dimasukkan daripada Program Bug Bounty?

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:

  • Spam;
  • Vulnerabilities that require social engineering/phishing;
  • Serangan DDOS;
  • Hypothetical issues that do not have any practical impact;
  • Keselamatan mudah diserang dalam aplikasi pihak ketiga dan pada laman web pihak ketiga dengan Paxful;
  • Scanner output or scanner-generated reports;
  • Isu yang ditemui melalui ujian berautomatik;
  • Publicly-released bugs in Internet software within 30 days of their disclosure;
  • Man-in-the-Middle attacks;
  • Host header injections without a specific, demonstrable impact;
  • Self-XSS, which includes any payload entered by the victim;
  • Login/logout CSRF;

Maklumat Lanjut

Jika anda mencari maklumat lanjut mengenai Dasar ini, anda boleh menghubungi kami dengan menghantar e-mel ke [email protected].