At Bottlepay, we consider the security of our systems a top priority. We do realise that no matter how much effort we put into system security, there can still be vulnerabilities present.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not usually offer monetary rewards for vulnerability disclosures.
If you discover a vulnerability, we would like to know about it so we can take steps to resolve the issue as quickly as possible.
If you believe you have found a security vulnerability, please email your findings to [email protected] We do have a PGP key you can use to encrypt your findings. You can find our PGP key https://bottlepay.com/legals/pgp-key.txt.
In your report please include details of:
Where the vulnerability occurs, for example the URL, IP, or version of the app.
A brief description of the vulnerability.
Steps to help us reproduce the vulnerability. This should be a non destructive proof of concept.
A CVSS calculation for the vulnerability.
We will not initiate any legal action against you provided that you:
Only test against your own account. Do not interact with any account that you do not own.
Do not access or attempt to access data that does not belong to you.
Do not exploit a security issue that you discover for any reason.
Do not perform actions that may negatively impact Bottlepay or our users, for example (but not limited to): denial of service, sending any malicious software and/or files, testing third party applications that we have integrations with or that integrate with us.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering or spam.
We will confirm receipt of your report within 5 business days.
If you have followed the instructions above, we will not take any legal action against you in regard to the report.
We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
We will keep you informed of the progress towards resolving the problem.
In the public information concerning the problem reported, we will give your handle/name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible.
We currently do not maintain a public wall of thanks for reported issues and security researchers.
This policy and the most current version is hosted at https://bottlepay.com/legals/disclosure-policy/.
Check our help page or contact support via the app.
Blogs can be boring, but not this one. Get your Bottlepay content fix here - from crypto chat to new features to get excited about, and everything in between.Read the articles