Investing.com offers rewards for reports from users that pinpoint security vulnerabilities in our services, infrastructure, web, and mobile applications including:
- Investing.com website as well as all language subdomains
- Native iOS app
- Native Android app
Rewards
The level of the reward will depend on the vulnerability discovered as well as its security impact.
Here’s how it’s structured:
Note that the amount of rewards varies. An actual reward may be different depending on the severity, authenticity, and exploitation possibilities of bugs as well as the environment and other factors that affect security.
Vulnerabilities of auxiliary services and vulnerabilities of non-production environments such as 'beta,' 'staging,' 'demo' etc. are rewarded only when they affect our service as a whole or may cause sensitive user data leakage.
Note that all payments will be made through PayPal, so if you’d like to participate please make sure you have an active PayPal ID. Stipulated bounty rewards are final. We won't pay additional fees or taxes.- You are not the first person to have reported the vulnerability;
- Vulnerabilities that involve a user's software or vulnerabilities that require full access to a user’s software, account/s, email, phone, etc.;
- Vulnerabilities or leaks in third-party services;
- Vulnerabilities in older versions of third party software/protocols missed protection as well as any deviation from best practices that create a security threat;
- Vulnerabilities with no substantial security impact or exploitation possibility;
Vulnerabilities that require the user to perform unusual actions; - Disclosure of public or non-sensitive information;
- Homograph attacks;
- Vulnerabilities that require rooted, jailbroken, or modified devices and applications.
- Please be patient. Reports are reviewed according to the workload of the security team and we sometimes require time to fix the issue.
- A bug report should include a detailed description of the discovered vulnerability and steps that need to be taken in order to reproduce it or a working proof-of-concept. If you do not describe vulnerability details, it could take longer to review your report and/or could result in a rejection of that report.
- Do not use automated tools and scanners to find vulnerabilities. Such reports will be ignored.
- Do not perform any attack that could damage our services or data including client data. DDoS, spam, brute force attacks are not permitted.
- Do not involve other users without their explicit consent.
- Do not perform or try to perform non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure in general.
- Publishing the vulnerability, even for educational purposes, without our consent is forbidden, and under no circumstance before the vulnerability is corrected.
How to Submit a Report
If you have found a security bug and want to report it, or have questions regarding our bounty program, please use this link: Investing Help Center.
Comments
0 comments
Article is closed for comments.