A Brief Note
Tokensoft Inc., the leading platform for blockchain-enabled securities, is committed to ensuring the safety and security of our customers. Tokensoft is now formalizing its policy for accepting vulnerability reports in Tokensoft products and Tokensoft-hosted services. The goal of this program is to foster and promote an open partnership with the cybersecurity community. We appreciate any work and disclosure that works towards providing the safety and security of Tokensoft customers and users of Tokensoft services. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith cybersecurity researchers that are lending their expertise.
Responsible Disclosure Policy
As a technology company, keeping our customers, technology and associated data safe is our primary concern. Tokensoft uses a Secure Development Lifecycle process in order to integrate cybersecurity best practices and solutions into its products from design, through development and release. However, it is possible for vulnerabilities to reach a production environment undetected or exploits to surface from outdated libraries or technology.
At Tokensoft we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.
If you are a cybersecurity researcher and have discovered a cybersecurity vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.
If you have identify a vulnerability that Tokensoft has been able to verify and validate, Tokensoft commits to:
- Acknowledge receipt of your vulnerability report
- Work with you or your team to understand the nature of the issue and work on timelines for fix or correct disclosure together
- Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated
- Publicly acknowledge your responsible disclosure (if you want credit for such disclosure)
Tokensoft provides the following minimum bounties. Rewards amounts and severity levels are subject to review by the Tokensoft security board. Higher rewards may be provided depending on the severity of the vulnerability.
- Low: $50
- Medium: $300
- High: $750
- Critical: $2,000
Submitting your Report
In your submission please include:
- Detailed steps to reproduce the vulnerability.
- Provide verifiable evidence the vulnerability exists such as a screenshot, a video or script. Verifiable evidence is required in order to receive recognition or an award. The evidence should include any and all URLs used to uncover the vulnerability. Provide clear descriptions of any accounts used.
- If you send an image or a video, please:
- Ensure that all text is readable and clear
- Keep the video private and submit it on a private link.
Please submit your report to firstname.lastname@example.org
- Please ensure that the submission includes reproducible steps as well as any screenshots that may be relevant or may assist in reproduction of the issue. If we are unable to reproduce the issue, the issue will not be eligible for a reward.
- Please submit a single vulnerability per submission. If duplicate submissions are received for the same vulnerability, the first reproducible submission will be awarded.
- If multiple submissions are the result of a single vulnerability or issue, a single submission will be awarded.
- The use of social engineering such as phishing, pharming, vishing or smishing is strictly prohibited.
In Scope Targets
Out of Scope Targets
The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Website form submissions
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS Lack of password length restrictions
- Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
- Denial of service
- Vulnerabilities in third-party applications which make use of Tokensoft services
- Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)
- Logout CSRF
- User existence/enumeration vulnerabilities
- Password complexity requirements
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Social engineering attacks against Tokensoft Inc. employees, affiliates or contractors
- Text-only injection in error pages