Bug Bounty Program

Our team of experts make every effort to deliver high-quality fintech products and technologies to the crypto community. However, there is always room for improvement and we’d like to partner with responsible security researchers in continuing our effort to keep our clients safe. For severe vulnerabilities, we offer reward and recognition on our Wall of Fame.

[haasbugbounty]

Responsible Disclosure Policy

You disclose responsibly if you:

• Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to HaasOnline.

A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms HaasOnline or HaasOnline customers. A report must be valid and in scope to qualify for a bounty. HaasOnline will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Bounty Rules

Adhere to the Responsible Disclosure Policy above

• Registration and manual approval required
• Do not attempt to gain access to another user’s account or information (use your own test accounts)
• Report only original and previously undisclosed bugs
• Do not disclose a bug publicly before it has been triaged or fixed
• Do not use scanners or automated tools to find bugs
• Interacting with customers is forbidden
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
• Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
• Employees of HaasOnline and its subsidiaries are ineligible

If not properly addressed or have questions, please contact us for clarification.

Services in Scope

Services provided on the following domains by HaasOnline are eligible for our Bug Bounty Program: 

• haasonline.com
• HaasOnline TradeServer Cloud
• HaasOnline APIs

Note: We will provide temporary licenses for our products for you to test with.

Services provided on independent domains like help.haasonline.com and wiki.haasonline.com are not included in the bounty program, though HaasOnline could give bounties at our sole discretion for reports on subdomains that lead to a critical vulnerability on the main website or services.

Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF/XSRF)
• Mixed-content scripts
• Authentication or authorization flaws
• Server-side code execution bugs
• Remote code execution
• Clickjacking
• Leakage of sensitive data
• Licensing or subscription bypass
• Local file inclusion

Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:

• Software packages not produced by HaasOnline
• Domains hosted by third parties
• HaasOnline branded services operated by third parties
• HaasOnline open-source projects or community created content

Other Exclusions

• Form rate limits
• Disclosures which are not actually bugs will not be awarded. For instance the absence of explicit “security” flag on cookies because we use HTTP Strict-Transport-Security
• Bounties are awarded at the sole discretion of HaasOnline
• Multiple bounties will not be awarded for variations or multiple instances of the same bug
• Duplicate entries will only be awarded to the first submission 

How to Disclose

Disclose a vulnerability by logging into your account that was manually approved and using the “Submit a Bug Bounty” link that will appear at the top of this page. A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). HaasOnline may award greater bounties for well done reports.

Reward Guidelines

The following guidelines give you an idea of what we usually reward for different classes of bugs. Our program uses the Bugcrowd VRT for prioritizing disclosed vulnerabilities.

All bounties are paid in Bitcoin.