Security Issue Reporting
Vulnerability disclosure and responsible security reporting
We value the security research community and encourage responsible disclosure of security vulnerabilities.
Responsible Disclosure Policy
Our Commitment
We are committed to:
- Acknowledging security reports promptly
- Investigating all valid reports thoroughly
- Keeping researchers informed of progress
- Crediting researchers (with permission) for discoveries
- Not pursuing legal action against researchers who follow our policy
Reporting Guidelines
Please:
- Provide detailed vulnerability information
- Include steps to reproduce the issue
- Give us reasonable time to address the issue
- Avoid privacy violations and service disruption
- Follow responsible disclosure principles
Please Do Not:
- Access or modify user data
- Perform denial of service attacks
- Execute social engineering attacks
- Publicly disclose vulnerabilities before we've addressed them
What to Report
In-Scope Vulnerabilities
We are particularly interested in:
- Authentication and authorization flaws
- Cryptographic weaknesses
- Code injection vulnerabilities
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Security misconfigurations
- Sensitive data exposure
- Insecure direct object references
Out of Scope
The following are generally out of scope:
- Denial of Service (DoS) attacks
- Social engineering attacks
- Physical attacks
- Issues in third-party services
- Previously reported vulnerabilities
- Theoretical vulnerabilities without proof of concept
How to Report
Reporting Channels
Primary Contact:
- Email: security@cryptrac.com
- Use our PGP key for sensitive information
- Include "Security Vulnerability" in subject line
Emergency Contact:
- For critical vulnerabilities requiring immediate attention
- Phone: +1 (347) 619-3721
- Available 24/7 for critical security issues
Information to Include
Detailed Report Should Contain:
- Vulnerability description
- Affected components or endpoints
- Reproduction steps
- Proof of concept (when appropriate)
- Potential impact assessment
- Suggested remediation (optional)
- Your contact information
Response Timeline
Our Response Process
Initial Response:
- Acknowledgment within 24 hours
- Initial assessment within 72 hours
- Regular updates on investigation progress
Resolution Timeline:
- Critical issues: 7 days
- High severity: 30 days
- Medium severity: 60 days
- Low severity: 90 days
Recognition Program
Hall of Fame
We maintain a security researchers hall of fame to recognize contributors:
- Public acknowledgment (with permission)
- Recognition on our security page
- Certificate of appreciation for significant findings
- Potential bounty rewards for qualifying vulnerabilities
Bounty Program
Reward Tiers:
- Critical vulnerabilities: Contact for details
- High severity: Contact for details
- Medium severity: Recognition
- Low severity: Recognition
Note: Rewards are at our discretion and based on severity, impact, and quality of report.
Secure Communication
PGP Encryption
For sensitive vulnerability reports, please use our PGP key:
PGP Key Information:
- Available on our website and public key servers
- Fingerprint published on our security page
- Regularly updated and monitored
- Use for confidential communications
Safe Harbor
We commit to:
- Not initiate legal action for security research conducted in good faith
- Work with researchers to understand and address issues
- Protect researcher identities (when requested)
- Provide clear guidance throughout the process
Security Contact Information
Primary Contact:
- Email: security@cryptrac.com
- PGP: Available on request
Emergency Contact:
- Phone: +1 (347) 619-3721
- Available 24/7 for critical issues
Last Updated: September 23, 2025
Thank you for helping us keep Cryptrac secure!