Bug Bounty 

   Program

A Brief Note

Tokensoft Inc., the leading platform for blockchain-enabled securities, is committed to ensuring the safety and security of our customers. Tokensoft is now formalizing its policy for accepting vulnerability reports in Tokensoft products and Tokensoft-hosted services. The goal of this program is to foster and promote an open partnership with the cybersecurity community. We appreciate any work and disclosure that works towards providing the safety and security of Tokensoft customers and users of Tokensoft services. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith cybersecurity researchers that are lending their expertise.

Responsible Disclosure Policy

As a technology company, keeping our customers, technology and associated data safe is our primary concern. Tokensoft uses a Secure Development Lifecycle process in order to integrate cybersecurity best practices and solutions into its products from design, through development and release. However, it is possible for vulnerabilities to reach a production environment undetected or exploits to surface from outdated libraries or technology. 

At Tokensoft we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.

If you are a cybersecurity researcher and have discovered a cybersecurity vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.

If you have identify a vulnerability that Tokensoft has been able to verify and validate, Tokensoft commits to:

  • Provide prompt acknowledgement and receipt of your vulnerability report (within 72 business hours of submission)

  • Work closely with you or your team to understand the nature of the issue and work on timelines for fix or correct disclosure together

  • Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated

  • Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)

If you provide us with a reasonable time to respond to your submission prior to making any information public and make a give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid do not violate the privacy of any individual or entity, violate the privacy policy, destroy any data or interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. We would prefer to give you recognition for your efforts, but you can remain anonymous at your discretion and be paid with virtual currency.

Rewards

Tokensoft provides the following minimum bounties. Rewards amounts and severity levels are subject to review by the Tokensoft security board. Higher rewards may be provided depending on the severity of the vulnerability.

  • Low: $50

  • Medium: $300

  • High: $750

  • Critical: $2,000

Submitting your Report

In your submission please include:

  • Detailed steps to reproduce the vulnerability.

  • Provide verifiable evidence the vulnerability exists such as a screenshot, a video or script. Verifiable evidence is required in order to receive recognition or an award. The evidence should include any and all URLs used to uncover the vulnerability. Provide clear descriptions of any accounts used.

  • If you send an image or a video, please:

    • Ensure that all text is readable and clear

    • If there is text in a javascript console, please copy and paste all payloads in your submission.

    • Keep the video private and submit it on a private link.

Please submit your report to security@tokensoft.io

Rules
  • Please ensure that the submission includes reproducible steps as well as any screenshots that may be relevant or may assist in reproduction of the issue. If we are unable to reproduce the issue, the issue will not be eligible for a reward. 

  • Please submit a single vulnerability per submission. If duplicate submissions are received for the same vulnerability, the first reproducible submission will be awarded.

  • If multiple submissions are the result of a single vulnerability or issue, a single submission will be awarded.

  • The use of social engineering such as phishing, pharming, vishing or smishing is strictly prohibited.

  • In your discovery please do not violate the privacy of any individual or entity, privacy policy, destroy any data or interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. 

In Scope Targets
  • *.stagetokensoft.com

Out of Scope Targets

The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing best practices in SSL/TLS configuration.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS Lack of password length restrictions

  • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.

  • Self-XSS

  • Denial of service

  • Spamming

  • Vulnerabilities in third-party applications which make use of Tokensoft services

  • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)

  • Logout CSRF

  • User existence/enumeration vulnerabilities

  • Password complexity requirements

  • Reports from automated tools or scans (without accompanying demonstration of exploitability)

  • Social engineering attacks against Tokensoft Inc. employees, affiliates or contractors

  • Text-only injection in error pages

Talk to us about your offering.

  • medium
  • White Twitter Icon
  • White LinkedIn Icon

Join our mailing list

THIS WEBSITE IS OWNED AND OPERATED BY TOKENSOFT, INC. (“TOKENSOFT”), A TECHNOLOGY COMPANY PROVIDING COMPLIANCE AND BLOCKCHAIN-BASED SERVICES FOR ISSUERS OF SECURITIES OR OTHER DIGITAL ASSETS.  TOKENSOFT IS NOT A BROKER-DEALER, INVESTMENT ADVISER, OR FINANCIAL ADVISOR.  TOKENSOFT IS NOT REGISTERED WITH THE U.S. SECURITIES & EXCHANGE COMMISSION (SEC) NOR ANY OTHER REGULATORY AGENCY OR BODY IN THE UNITED STATES OR INTERNATIONALLY.  TOKENSOFT DOES NOT GIVE INVESTMENT OR LEGAL ADVICE, ENDORSEMENTS, ANALYSIS, OR RECOMMENDATIONS WITH RESPECT TO ANY SECURITIES OR OTHER DIGITAL ASSETS. NOTHING ON THIS WEBSITE SHALL CONSTITUTE OR BE CONSTRUED AS AN OFFERING OF SECURITIES OR AS INVESTMENT ADVICE OR INVESTMENT RECOMMENDATIONS BY TOKENSOFT OR ANY OF ITS AFFILIATES OR A RECOMMENDATION AS TO AN INVESTMENT. ALL THIRD PARTY SECURITIES OFFERINGS AND DIGITAL ASSETS POWERED BY TOKENSOFT’S TECHNOLOGY ARE OFFERED BY, AND ALL INFORMATION RELATED THERETO IS THE RESPONSIBILITY OF, THE APPLICABLE ISSUER OF SUCH SECURITIES OR DIGITAL ASSETS. TOKENSOFT DOES NOT CUSTODY ANY DIGITAL SECURITIES OR DIGITAL ASSETS ON BEHALF OF ANY OF ITS CUSTOMERS OR USERS OF OUR WEBSITE SERVICES.


For information relating to Tokensoft Global Markets, our affiliate broker-dealer, please visit https://www.tokensoftmarkets.com.