Introduction

Remitano recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Remitano account has been compromised, change your email password and immediately contact support via [email protected]

The Bug Bounty Program directly serves Remitano's mission by helping us be the trusted way to exchange between fiat and cryptocurrencies. 

The Bug Bounty Program scope covers all software vulnerabilities in services provided by Remitano.
A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Remitano or Remitano customers. A report must be a valid, in scope report in order to qualify for a bounty. Remitano will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Program Policies

Remitano pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.
If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Remitano cannot and does not authorize security research on other entities.

Researcher Requirements

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

  • Providing Remitano a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
  • Making a good faith effort to preserve the confidentiality and integrity of any Remitano customer data.
  • Not defrauding Remitano customers or Remitano itself in the process of participating in the Bug Bounty Program.
  • Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Remitano.
  • Reporting vulnerabilities with no conditions, demands, or ransom threats. Remitano considers Social Engineering attacks against Remitano employees be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Remitano employees will be banned from the Remitano Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Report Evaluation

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Remitano that harms Remitano or Remitano customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

On Treating Similar Vulnerabilities

In particular, we may decide that multiple reports are so closely related, or all caused by a single underlying root case, and thus consider these multiple reports as a single vulnerability and only reward once.

Response Times

Remitano will make a best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submit) - < 2 business days
We’ll try to keep you informed about our progress throughout the process.

Vulnerabilities Categorization

We categorize issues in to classes as of below:

Notice that we are not considering these as a valid security attack:

  1. abusive reversal using ACH / bank transaction / credit card chargeback
  2. log in without 2FA code - this is designed as a feature (we ask for 2FA code when fund need to be moved)

Scope

Our scope is listed below in the structured scope section. Additionally, all vulnerabilities that require or are related to the following are out of scope:

  • Social engineering
  • Physical security
  • Non-security-impacting UX issues
  • Vulnerabilities or weaknesses in third party applications that integrate with Remitano
  • Bring down Remitano with DDOS Attack

If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

Investigating suggestions

Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Remitano.

Format of reporting

  • Please include following in your report:
  • Asset - What software asset the vulnerability is related to (e.g. remitano.com, remitano iOS app)
  • Severity - Your opinion on the severity of the issue (e.g. high, moderate, low)
  • Summary - ­Add summary of the vulnerability
  • Description -­ Any additional details about this vulnerability
  • Steps - Steps to reproduce
  • Supporting Material/References ­- Source code to replicate, list any additional material (e.g. screenshots, logs, etc.)
  • Impact - What security impact could an attacker achieve?

Please be available to cooperate with Remitano engineering team to provide further information on the report if needed.

Fine Print

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

Did this answer your question?