Switcheo looks forward to working with the security community to find security vulnerabilities in order to keep Switcheo, Switcheo TradeHub, and other products in the Switcheo ecosystem safe.
Before discussing your findings publicly, allow us time to fix the vulnerability and ask our permission before doing so.
Follow our submission steps below.
All security reports should be sent only to our disclosure email address: firstname.lastname@example.org.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
You are ineligible for bounty rewards if the vulnerability submitted is already known by Switcheo, if it's publicly disclosed prior to the completion of the submission process with the Switcheo, or if it's found to have already been exploited.
The most important class of bugs we’re looking for are any parts of our smart contract code which would either result in a loss of funds or the platform becoming broken or un-usable.
A loss of funds bug includes any vulnerability where a user can siphon assets from other users or the platform in an unintended way. If for example a user was able to take ETH, NEO, or SWTH in a market that they were not entitled to this would be a loss of funds bug.
Also included in this would be any bug allowing someone to lock up funds in such a way that they are irrecoverable.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration.
Denial of service that is not a result of application engineering.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Game theory attacks which are noted already in the whitepaper (e.g parasitic markets, malicious resolution source).
The following vulnerabilities / bugs are already known and are not eligible for bounty:
To Be Specified as Discovered
Switcheo may offer monetary rewards for vulnerability disclosure. Not all vulnerabilities will attract monetary rewards, and the decision to grant a reward is entirely at Switcheo's discretion. The amount of each bounty payment will be determined by Switcheo.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Switcheo safe!