Skip to content
Register

Responsible Disclosure

We treat the security of our systems as a top priority. If you discover a vulnerability, we want to know about it, and we'll thank you with a reward starting at €50 in Bitcoin.

E-mail your findings
Lara Lupgens

Author: Lara Lupgens

How to report a vulnerability

Found a vulnerability in any BTC Direct system? Report it through our responsible disclosure programme. The minimum reward for a qualifying report is €50 in Bitcoin. Please follow these steps:

  • E-mail your findings to responsibledisclosure@btcdirect.eu.
  • Provide enough detail to reproduce the issue. Usually the affected URL or IP address plus a clear description is enough. For complex issues, include screenshots, the tools you used, and step-by-step reproduction notes.
  • Don't exploit the vulnerability further. Don't download more data than needed to demonstrate the issue, and don't modify or delete data that isn't yours.
  • Don't share the issue publicly until we've resolved it.
  • Don't use prohibited methods. No physical attacks, social engineering, DDoS, spam, or attacks against third-party services.

What we promise in return

When you submit a report through this programme, we commit to the following:

  • Response within 30 business days. You'll receive our evaluation of your report plus an expected resolution date.
  • No legal action. As long as you followed the rules above, we won't take legal action against you in connection with your report.
  • Strict confidentiality. We won't share your personal details with third parties without your permission.
  • Progress updates. We'll keep you informed as we work towards a fix.
  • Public credit. When the issue is resolved and made public, we'll credit you as the discoverer, unless you'd rather stay anonymous.

Minimum reward: €50 in Bitcoin. As thanks for your help, we offer a reward for every previously unknown security issue that has a meaningful impact on our platform or our customers. The exact amount depends on severity and the quality of your report.

Out of scope

The following issue types are not considered reportable vulnerabilities on their own. We'll still review combinations of these if together they create a real security impact.

  • Generic application or server error messages
  • HTTP 404s and other non-200 status codes
  • Public files and directories (such as robots.txt)
  • CSRF on pages available to anonymous users
  • CSRF without a serious impact on users
  • Active TRACE HTTP methods
  • Classic SSL attacks like BEAST, BREACH or Renegotiation
  • Missing SSL Forward Secrecy
  • Missing X-Content-Type-Options header
  • Missing other generic HTTP security headers
  • HTTPS mixed-content warnings or scripts

Contact

For any responsible disclosure report, please use:

Email: responsibledisclosure@btcdirect.eu

We aim to resolve every reported issue as quickly as possible. Once a fix is in place, we'd like to coordinate with you on any public publication of the issue.