Paxful

Bug Bounty Policy

Add Comment

This website uses cookies to ensure you get the best experience on our website. Learn moreGot it! Please enable JavaScript to use Paxful website! Bug Bounty Policy Paxful, Inc. (also referred to as “Paxful,” “we,” “us,” or “our”) takes steps to improve our product and provide secure solutions for our customers. In this Bug Bounty Policy (“Policy”), we describe applicable cases for our Bug Bounty Program and how it should be used in connection with your use of our website at https://paxful.com/, including, but not limited to, the Paxful Wallet, online Bitcoin trading platform, mobile application, social media pages, or other online properties (collectively, the “Website”), or when you use any of the products, services, content, features, technologies, or functions we offer (collectively, the “Services”). This Policy is designed to help you obtain information about how you can participate in our Bug Bounty Program, which secure research results are applicable, and which benefits you can receive. Please note that our Service offerings may vary by region. For all purposes, the English language version of this bug bounty policy shall be the original, governing instrument. In the event of any conflict between the English language version of this bug bounty policy and any subsequent translation into any other language, the English language version shall govern and control. What is the Bug Bounty Program? In order to improve Paxful and the Services, the Paxful Bug Bounty Program provides our users an opportunity to earn a reward for identifying technical issues. How can you communicate your Bug Bounty Program findings to us? All such communications should be directed to bugbounty@paxful.com. In your submission please specify full description of the vulnerability and verifiable proof that the vulnerability exists (explanation / steps to reproduce / screenshots / videos / scripts or such other materials). Program Rules Violation of any of these rules can result in ineligibility for a bounty. <ul> <li>Test vulnerabilities only against an account that you own or accounts that you have consent from the account holder to test against.</li> <li>Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.</li> <li>If sensitive information such as personal information, credentials, etc.. is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery.</li> <li>Researchers may not, and are not authorised to engage in any activity that would be disruptive, damaging or harmful to Paxful.</li> <li>Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Paxful employees), or otherwise share vulnerabilities with a third party, without Paxful's express permission.</li> </ul> How do we evaluate issues identified under the Bug Bounty Program? All findings are evaluated using a risk-based approach. Non-Disclosure Agreement Before we begin discussing any details related to confirmed issues that you have identified under the Bug Bounty Program, including compensation, etc., you will be required to enter into a Non-Disclosure Agreement with us. How do we pay Bug Bounty Program rewards? All such rewards are paid by Paxful. All rewards can be paid only if they are not contrary to applicable laws and regulations, including but not limited to trade sanctions and economic restrictions. How long will it take us to analyze your Bug Bounty Program findings? Due to the varying and complex nature of technical issues, we have not established particular timelines for analyzing findings under the Bug Bounty Program. Our analysis is finished only when we have confirmed the existence or absence of a vulnerability. What cases are excluded from the Bug Bounty Program? Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to: <ul> <li>Spam;</li> <li>Vulnerabilities that require social engineering/phishing;</li> <li>DDOS attacks;</li> <li>Hypothetical issues that do not have any practical impact;</li> <li>Security vulnerabilities in third-party applications and on third-party websites integrated with Paxful;</li> <li>Scanner output or scanner-generated reports;</li> <li>Issues found through automated testing;</li> <li>Publicly-released bugs in Internet software within 30 days of their disclosure;</li> <li>Man-in-the-Middle attacks;</li> <li>Host header injections without a specific, demonstrable impact;</li> <li>Self-XSS, which includes any payload entered by the victim;</li> <li>Login/logout CSRF;</li> </ul> More Information If you are looking for more information regarding this Policy, you may contact us by emailing privacy@paxful.com. Dark theme English (en) <ul> <li> Bahasa Indonesia </li> <li> Bahasa Melayu </li> <li> Čeština </li> <li> Dansk </li> <li> Deutsch </li> <li> Eesti </li> <li> English </li> <li> Español </li> <li> Français </li> <li> Hausa </li> <li> Italiano </li> <li> Latviešu </li> <li> Lietuvių </li> <li> Nederlands </li> <li> Norsk Bokmål </li> <li> Polski </li> <li> Português </li> <li> Português brasileiro </li> <li> Suomi </li> <li> Svenska </li> <li> Tiếng Việt </li> <li> Türkçe </li> <li> Wikang Tagalog </li> <li> Русский </li> <li> 한국어 </li> <li> 日本語 </li> <li> 简体中文(SC) </li> <li> 繁體中文(TC) </li> </ul> FAQ &amp. Help Center For You <ul> <li> Buy Bitcoin </li> <li> Buy Tether </li> <li> Buy Ethereum </li> <li> Sell Bitcoin </li> <li> Sell Tether </li> <li> Sell Ethereum </li> <li> Become a Vendor </li> <li> Paxful Wallet </li> </ul> For Your Business <ul> <li> Pay with Paxful </li> <li> Virtual Bitcoin Kiosk </li> <li> API Documentation </li> </ul> For Your Community <ul> <li> Paxful Peer Program </li> <li> Paxful Affiliate Program </li> <li> Paxful Alliance </li> <li> Community </li> </ul> Buy Anywhere <ul> <li> Buy Bitcoin in USA </li> <li> Buy Bitcoin in Nigeria </li> <li> Buy Bitcoin in China </li> <li> Buy Bitcoin in India </li> <li> Buy Bitcoin in Russia </li> </ul> Useful Links <ul> <li> Paxful Status </li> <li> Bitcoin Calculator </li> <li> Peer-to-Peer Market Prices </li> <li> Bitcoin ATM Map </li> </ul> About Paxful <ul> <li> About Us </li> <li> Business Contacts </li> <li> Careers </li> <li> Paxful Blog </li> <li> What's new </li> <li> Paxful Reviews </li> <li> Built with Bitcoin </li> </ul> Legal <ul> <li> Terms &amp. Conditions </li> <li> Vendor Reminder </li> <li> AML Policy </li> <li> Stablecoin Terms of Service </li> <li> Privacy Notice </li> <li> Bug Bounty Policy </li> <li> Cookie Policy </li> </ul> <ul> <li> Instagram </li> <li> Facebook </li> <li> Twitter </li> <li> YouTube </li> <li> Reddit </li> </ul> “PAXFUL” is a registered trademark of Paxful, Inc. Copyright © 2021 Paxful, Inc. All Rights Reserved. Paxful Inc. has no relation to MoneyGram, Western Union, Payoneer, WorldRemit, Paxum, Paypal, Amazon, OkPay, Payza, Walmart, Reloadit, Perfect Money, WebMoney, Google Wallet, BlueBird, Serve, Square Cash, NetSpend, Chase QuickPay, Skrill, Vanilla, MyVanilla, OneVanilla, Neteller, Venmo, Apple, ChimpChange or any other payment method. We make no claims about being supported by or supporting these services. Their respective wordmarks and trademarks belong to them alone. Official mailing address: 3422 Old Capitol Trail, PMB 989, Wilmington DE 19808 Contact Us