Skip to content

Now pay with Credit cards, Apple Pay, and more

HelpLogin

Bitrefill Responsible Vulnerability Disclosure Policy

Introduction

At Bitrefill, we take the security of our systems and the protection of our users very seriously. Despite our ongoing efforts to enhance security, vulnerabilities may still arise. If you identify a potential security issue, we encourage you to report it responsibly.

Program Scope

The following assets are in scope:

  • bitrefill.com (main website)
  • embed.bitrefill.com (widget)
  • api.bitrefill.com (public API)
  • Mobile applications (iOS and Android)

Before You Submit

Please verify:

  • The issue affects production bitrefill.com (not staging/test environments)
  • You have a working proof of concept
  • The issue is not listed in Out of Scope below

How to Report a Vulnerability

If you believe you have discovered a vulnerability in any of Bitrefill's services, please follow these guidelines:

  1. Reach Out: Send your findings to [email protected]. This email is for vulnerability reports only.
  2. Descriptive Subject Line: Use a specific and informative subject line for your email (e.g., "Vulnerability in Injection").
  3. Provide a Proof of Concept: Include step-by-step reproduction instructions, affected URL(s), screenshots or video if applicable, and impact assessment.
  4. One Report Per Email: To ensure clarity, please submit one vulnerability per email.
  5. Avoid Exploitation: Do not exploit the vulnerability or access data that does not belong to you. Refrain from downloading or altering data to demonstrate the issue.
  6. Maintain Confidentiality: Please do not disclose the vulnerability to third parties until we have resolved it.

Our Commitment

  • Safe Harbor: If you follow the guidelines outlined in this policy, we will regard your actions as responsible and will not pursue legal action against you in connection with your report.
  • Acknowledgment: We will confirm receipt of your report on a best effort basis.
  • Evaluation Feedback: We will assess your report and provide an expected timeline for resolution as soon as possible.
  • Confidentiality Assurance: Your report will be handled confidentially, and we will not share your personal information without your consent unless required by law.
  • Progress Updates: We will keep you informed about the status of the resolution throughout the process.
  • Recognition and Rewards: We value your contribution and offer monetary rewards for major vulnerabilities that we were previously unaware of, as well as credit on our website for lesser ones.

Out of Scope Vulnerabilities

The following types of vulnerabilities are not eligible for reporting under this policy:

  • Issues stemming from third-party services (e.g., payment processors).
  • Vulnerabilities that do not affect Bitrefill services or data.
  • User interface (UI) and user experience (UX) issues, such as typographical errors or design inconsistencies.
  • Reports generated by automated tools that lack manual validation.
  • Vulnerabilities requiring physical access to a user's device.
  • Social engineering attempts targeting Bitrefill employees or customers.
  • Vulnerabilities that necessitate user action to become vulnerable (e.g., phishing).
  • Non-exploitable vulnerabilities that do not directly impact confidentiality, integrity, or availability.
  • Weaknesses in third-party libraries or frameworks outside of Bitrefill's control.
  • Missing security headers that do not directly lead to a vulnerability.
  • Issues related to SPF/DMARC/DKIM/MTA-STS records or email server configuration.
  • Information disclosures that do not involve sensitive user data.
  • Denial of Service (DoS) attacks or attempts to disrupt service availability.
  • Most security issues that can be found just by running automated tools.
  • Vulnerabilities that have already been reported.
  • Vulnerabilities on external websites tied to bitrefill.com, such as blog.bitrefill.com.
  • Findings on staging, test, or development environments.
  • Password policy suggestions.
  • Session/cookie behavior that does not lead to account takeover or data exposure.
  • SSL/TLS certificate informational findings (e.g., cipher suite preferences).
  • Server version disclosure or banner information.
  • Theoretical cache poisoning or request tampering without demonstrable impact.

Invalid Submissions

The following will not be considered:

  • Reports without technical details or proof of concept.
  • Vague claims of security flaws without specific evidence.
  • Demands for payment before disclosing vulnerability details.

Severity Ratings

  • Critical:
    • Full login bypass
    • Arbitrary code execution on production servers
    • Arbitrary query execution on production databases
    • Access to crypto wallets
  • High:
    • Support tool access
    • Private customer information leak
    • Account balance manipulation
    • Refund on delivered products
    • Product delivery without full payment
  • Medium:
    • Non-sensitive XSS or CSRF
    • Purchase limit bypass
  • Low:
    • Unexpected behavior with no information leak or privilege escalation
    • System information leak that should not be available to the general public

Additional Notes

This program is intended to foster collaboration and may be subject to change or termination at Bitrefill's discretion. Any individuals engaged in malicious activity or harassment will be disqualified from receiving rewards.

Thank you for helping us enhance the security of Bitrefill!