Bug Bounty Program

Our team of experts make every effort to deliver high-quality fintech products and technologies to the crypto community. However, there is always room for improvement and we’d like to partner with responsible security researchers in continuing our effort to keep our clients safe. For severe vulnerabilities, we offer reward and recognition on our Wall of Fame.

Report a Bug ›

Responsible Disclosure Policy

You disclose responsibly if you:

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to HaasOnline.

A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms HaasOnline or HaasOnline customers. A report must be valid and in scope to qualify for a bounty. HaasOnline will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Bounty Rules

Adhere to the Responsible Disclosure Policy above

  • Do not attempt to gain access to another user’s account or information (use your own test accounts)
  • Report only original and previously undisclosed bugs
  • Do not disclose a bug publicly before it has been triaged or fixed
  • Do not use scanners or automated tools to find bugs
  • Interacting with customers is forbidden
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
  • Employees of HaasOnline and its subsidiaries are ineligible

If not properly addressed or have questions, please contact us for clarification.

Services in Scope

Services provided on the following domains by HaasOnline are eligible for our Bug Bounty Program: 

  • haasonline.com (non-Wordpress related)
  • HaasOnline TradeServer Cloud
    • app.haasstage.com
    • app.haasbot.com
  • HaasOnline APIs

Note: Upon request we will provide temporary licenses/subscriptions for you to test with.

Services provided on independent domains like help.haasonline.com and wiki.haasonline.com are not included in the bounty program, though HaasOnline could give bounties at our sole discretion for reports on subdomains that lead to a critical vulnerability on the main website or services.

Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Remote code execution
  • Leakage of sensitive data
  • Licensing or subscription bypass
  • Local file inclusion

Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:

  • Software packages not produced by HaasOnline, including WordPress
  • Domains hosted by third parties
  • HaasOnline branded services operated by third parties
  • HaasOnline open-source projects or community created content

We generally are not interested in the following problems:

  • Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.
  • Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
  • Form rate limits, captcha,
  • Disclosures which are not actually bugs will not be awarded. For instance the absence of explicit “security” flag on cookies because we use HTTP Strict-Transport-Security
  • Self-XSS. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.
  • Open API endpoints serving public data (Including usernames and user IDs)
  • Path disclosures for errors, warnings, or notices
  • Mixed content warnings for passive assets like images and videos
  • Lack of HTTP security headers (CSP, X-XSS, etc.)
  • Output from automated scans – please manually verify issues and include a valid proof of concept.
  • Clickjacking with minimal security implications
  • Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a PoC.

Other

  • Bounties are awarded at the sole discretion of HaasOnline
  • Multiple bounties will not be awarded for variations or multiple instances of the same bug
  • Duplicate entries will only be awarded to the first submission 

Reward Guidelines

Our program loosely uses the Bugcrowd VRT for prioritizing and rewarding disclosed vulnerabilities. All bounties are paid in Bitcoin.