Last updated: September 16, 2022
This vulnerability disclosure policy (VDP) applies to any vulnerabilities you are considering reporting to Crossmint. Please read this VDP fully before you report a vulnerability and always act in compliance with it.
We value those who take the time and effort to report security vulnerabilities according to this policy. Thank you in advance for your submission and discretion. We appreciate researchers assisting us in our security efforts.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
This policy applies to the crossmint.com domain and the following hostnames:
Any other subdomain of crossmint.com is excluded from this policy.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data or can crash the application is likely to be within the scope of the program. For instance - authentication or authorization flaws, server-side code execution, etc.
Make sure your submission report includes the proof of concept and replication information.
Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps needed to accomplish the compromise, we consider this to be a critical element of vulnerability research. Reports with a lack of details may be marked as invalid.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively impact Crossmint or its users (e.g. Spam, Brute Force, Denial of Service...) or other tests that impair access to or damage a system or data.
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
- Social engineering of any Crossmint team employee, or contractor. - Violating any laws or breaching any agreements in order to discover vulnerabilities.
The following findings are specifically non-rewardable within this program:
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- Logout Cross-Site Request Forgery (logout CSRF)
- Self XSS
- Lack of Secure and HTTPOnly cookie flags
- Misconfigured or lack of SPF/DKIM records
- Missing HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only
- Out of date software versions
- Issues that affect users of out of date browsers and browser extensions - Vulnerabilities in third-party components
- Bugs that require exceedingly unlikely user interaction
- Content spoofing and text injections issues without a real attack vector and/or without being able to modify HTML
- Subdomain takeover without a proof of concept
- Domain squatting or any other domain speculations
- Vulnerabilities that requiring physical access to a user’s device
Reporting a vulnerability
If you believe you’ve identified a potential security vulnerability on our platforms, please send your reports directly to the Crossmint Security Team at [email protected]. This will ensure your report reaches us directly and we can respond sooner. Do not submit as a support ticket or in the Discord channel!
Please do not file a public issue or discuss the vulnerability in public places like Discord, Twitter, etc.
If you found multiple vulnerabilities, please send them in separate emails.
Make sure your report includes:
- A clear and relevant title
- Affected service/API
- Vulnerability details and impact
- Reproduction steps/Proof of Concept (e.g. scripts, video, screenshots, curl commands, etc)
- Any technical information and related materials Crossmint team would need to reproduce the issue.
By submitting a report or communicating with the Crossmint team at [email protected], the Crossmint team will presume that the submitter has read, understood, and agreed to the guidelines described in this policy.
What happens after reporting a vulnerability
After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We will keep you informed of our progress. We assess the issues by looking at the impact, severity and exploit complexity.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. Once your vulnerability has been resolved, we welcome requests to disclose your report. However, please refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report.
We typically do not offer any cash rewards for submissions. However, we might make an exception in the case of valid critical bugs and high-quality reports.
Reward amounts are decided based on the maximum impact of the vulnerability. Well-written and useful submissions have a higher likelihood to be considered for a reward.
You will qualify for a reward only if you were the first person to report a previously unknown flaw.