Contact Us

Articles in this section

Do you have a Bug Bounty program?

Avatar
Akshay

If you believe that you have found a security vulnerability or Bug on any WazirX’s owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem.

Disclosure Policy

  • We will acknowledge your submission only if you are the first person to report a certain Known issues or issues that have already been reported will not be considered as a valid report
  • You may not publicly disclose the vulnerability prior to our
  • Any Improper public disclosure/ misuse of information will entitle WazirX to take appropriate legal

Response Targets

WazirX will make the best effort to meet the following response targets for hackers participating in our program:

  • First response -Within 2 business day
  • Time to triage - Within 2-5 business days

We’ll try to keep you informed about our progress throughout the process. Program Rules

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service and only interact with accounts you own or with the explicit permission of the account holder.


Please refrain from the following:

  • Trying DOS/DDOS attacks
  • Automated Scanning
  • Using vulnerability testing tools that automatically generate significant traffic
  • Accessing private information (use your own accounts)
  • Performing actions that may negatively affect WazirX users (social engineering, phishing, spam, denial of service)
  • Submitting reports from automated tools without verifying
  • Performing brute force testing to determine whether rate limiting is in place for particular APIs or pieces of

 

In Scope

Domain *.wazirx.com

Android: Play Store wazirx owned android applications iOS: App Store wazirx owned iOS applications

Out of Scope Vulnerabilities

  • Issues related to software/application not under WazirX’s control or owned by some third party
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Missing security headers which do not lead directly to a vulnerability
  • Clickjacking without an impact
  • Text Injection
  • Known-vulnerable library (without evidence of exploitability)
  • Spam & rate limiting
  • SSL/TLS protocol vulnerabilities
  • Best practice concerns will be reviewed, but in general, we require evidence of a vulnerability
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • The brute force of promo/coupon code
  • Social engineering attacks
  • Email/Phone number enumeration (user enumeration)
  • Any activity that could lead to the disruption of our service (DoS)

Rewards

  • Our minimum reward or bounty is $100.
  • Maximum reward is $500 for high or critical
  • >$500 as reward can be considered for exceptionally critical bugs/vulnerabilities reported
  • Critical & High severity valid bug reporters will be listed on WazirX’s wall of Fame

 

Report Vulnerability at - security@wazirx.com

Thank you for helping keep WazirX and our users safe!

Related articles