Rules wey dey guide Bug Bounty

Paxful, Inc. (we go fit still call am "Paxful", "we", "us" abi "our") dey take steps wey dey improve our product and dey provide solutions wey dey safe to our customa. For dis rules wey dey guide Bug Bounty("rules wey dey guide"), we dey explain tins wey dey happen for our Bug Bounty Program and how u suppose use am take connect how u dey use ur website for, wey include but e no stop for, d paxful online purse, platform wey dey buy abi sell Bitcoin, mobile application, social media pages, abi oda online properties dem( wey dem dey gada call d "website"), or wen u use ani of di products, services, content, features, technologies, abi functions wey we dey offer (wey dem dey gada call d "sevices"). Dis rules wey dey guide dey designed to helep u get info about how to take participate for our Bug Bounty program, wey be say safe research result dey applicable, and which benefits u fit collect. Abeg note say d services wey we dey give go dey different bcos of region.

For all purposes, di English language side of di rules wey dey guide bug bounty go be di original, govaning instrument. If at all di English language side of di rules wey dey guide bug bounty and any oda language wey dem translate to no dey relate well, den na di English language side go govan and control.

Wetin be di Bug Bounty program?

As we wan take improve Paxful and di service, di paxful Bug Bounty Program go give our users di opportunity to take get moni if dem fit see any technical issues.

How you go take tell us wetin you see for your Bug Bounty Program?

Make you send all di tins wey you wan tell us to [email protected]. For wetin you wan submit abeg specify full description of di vulnerability and confam proof wey show say di vulnerability dey exist (explain am / steps to reproduce / picture ontop computa /videos / scripts abi oda materials wey be like am).

Rules of Program

If you no follow wetin dis rules talk, den di bounty fit dey ineligible.

  • Na only for your account u go test vulnerabilities abi for accounts wey be say di owner don gree for you to use do test.
  • No use wetin you find take do pesin bad abi take comot info from pesin system abi to move into oda systems. use only proof of concept take show di issue.
  • If you see sensitive info like pesin info, credentials, etc.. e dey part of wetin you wan use for di vulnerability, den make sure say you no save am, you no send am, no look am, abi process afta di first time wey you see am.
  • Reseachers no go, and dem no dey allow to engage for any tin wey go dey disruptive, dey damage abi harmful to paxful.
  • Researchers no go publicly disclose vulnerabilities ( to dey share any info with anyone oda dan di pipo wey dey work for paxful), abi odawise share vulnerabilities with anoda pesin without say na paxful give di permission.

How we wan take evaluate issues wey we see unda di Bug Bounty Program?

Na risk-based approach we go take evaluate all di findings.

Agreement say you no go tell anyone

You go nid to enta agreement with us say you no go tell anyone before we start to dey tok about any info wey go confam di issue wey you see unda di Bug Bounty Program, wey include moni, etc.

How we go take pay Bug Bounty Program moni?

Na paxful dey pay dat kain moni. Dem go only pay di moni if e dey in line with di applicable laws and regulations, wey include but no stop for buy abi sell warnings and economic restrictions.

How long e go take to analyze wetin you find for di Bug Bounty Program?

Bcos of di complex and different nature of technical issues, we neva tok say na dis paticula time we dey use analyse wetin you find unda di Bug Bounty Program. Our analysis don finish only wen we don confam say di vulnerability dey abi e no dey.`.

Which cases we go comot from di Bug Bounty Program?

E get some vulnerabilities wey we don consider out-of-scope for di Bug Bounty program. Di out-of-scope vulnerabilities dem include, but no dey limited to:

  • Spam;
  • Vulnerabilities wey nid social engineering /phishing;
  • DDOS attacks;
  • Make we just say issues wey no get any practica impact;
  • Securiti vulnerabilities for anoda pesin applications and ontop anoda pesin websites wey dey inside paxful;
  • Scanner output abi reports wey be say na scanner generate am;
  • Issues wey be say na automated testing find am;
  • Bugs wey dey publicly-released inside intanet software within 30 days of dia disclosure;
  • Attacks of Man-in-di-Middle;
  • Host header injections wey no get specific, demonstrable impact;
  • Self-XSS, wey include any payload wey di victim enta;
  • Login/logout CSRF;

Plenti info

If you still dey find info about dis rules wey dey guide, you fit contact us by email [email protected].