Qoin Service prioritizes user security as a top priority and invites cybersecurity researchers to collaborate through our Voluntary Vulnerability Disclosure Program (VVDP). We highly appreciate external contributions in enhancing the security of our services. If you discover any security vulnerabilities or have information related to Qoin Service's security, we invite you to directly share your findings with us.
As a gesture of appreciation, Qoin Service will award a certificate of appreciation to external security researchers who report valid vulnerabilities. We commit not to take legal action against researchers who adhere to the guidelines of our VVDP. To participate in this program, we hope researchers have read and followed the rules of this program thoroughly. Please note that the results of vulnerability findings should not be published anywhere except to Qoin Service.
To maintain the security and efficiency of this program, we encourage that vulnerability findings not be reported through the Qoin Service call center. Instead, we invite you to submit details of the discovered vulnerabilities via email to bug@qoinservice.id. Thank you for your contribution to ensuring the security of our services.
- We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine the amount of appreciation based on various factors, including (but not limited to) impact, ease of exploitation, and report quality.
- We strive to provide commensurate recognition for similar issues, but the award amounts and qualifying issues may change over time. Past recognitions do not guarantee similar outcomes in the future.
- In the case of duplicate reports, we provide appreciation to the first person who submits the issue. (The capacity to identify duplicates and not sharing details with other reports is required). Appreciation is only awarded to one individual.
- Your participation in this program must not disrupt or compromise any data that does not belong to you. Any attacks against other users or company data without provable express consent are prohibited and will automatically disqualify you from participating in the program.
- You must not disclose the issue to the public or a third-party before it has been fixed and prior written consent from Qoin Service.
- You must comply with any applicable laws and regulations in connection with your participation in this program.
- Qoin Service’s development team, employees and all other affiliates are not eligible for rewards.
- SQL Injection
- Reflected or stored Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- File inclusion (Local/Remote)
- Server-Side Remote Code Execution (RCE)
- Leakage of sensitive informations
- Authentication Bypasses
- Payment Manipulation
- Directory Traversal Issue
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on external storage and private directory
- Lack of obfuscation is out of scope
- auth secret hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
- Lack of binary protection control in android app
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
- Solution
- Company
- Blog
- FAQ
- Contact Us
Jalan Pulomas V A No. 1 Jakarta Timur 13210
021-43211234
Terms & Condition
Privacy Policy
VVDP
Copyright ©2024 Qoin Digital Indonesia