Coordinated Vulnerability Disclosure (CVD) Policy

Version: 1.0
Last Updated: May 15, 2025

1. Our Commitment to Security

At Coinmerce, we take the security of our systems, products, and services seriously. We value the contributions of security researchers and the broader security community in helping us maintain a high level of security.

This Coordinated Vulnerability Disclosure (CVD) policy outlines how we wish to work with you to identify and resolve potential vulnerabilities. We are committed to a transparent and collaborative approach to vulnerability reporting.

The aim of this CVD policy is to ensure that vulnerabilities are identified, reported, and remediated in a coordinated manner, minimizing risk to our users, data, and services.

2. Scope

This policy applies to vulnerabilities found in the following Coinmerce owned/managed systems, products, and services:

  • In Scope:

    • http[s]://coinmerce.io
    • Coinmerce brokerage platform, blog, career website
  • Out of Scope:

    • Systems or services hosted by third-party vendors (unless they directly impact our in-scope systems and you have permission from the third party).
    • Vulnerabilities in third-party software that we use but do not own (please report these directly to the vendor, though we appreciate being informed if it impacts our systems).

If you are unsure whether a system or product is in scope, please contact us at [email protected] before starting any research.

3. How to Report a Vulnerability

If you believe you have discovered a vulnerability, please report it to us as soon as possible by:

  • Emailing your findings to: [email protected]
  • Encryption: Our PGP/GPG key can be found here. Please encrypt your findings to prevent critical information from falling into the wrong hands.

When reporting, please include sufficient information to help us understand, reproduce, and address the vulnerability. This typically includes:

  • A clear description of the vulnerability, including the type of vulnerability.
  • The IP address(es), URL(s), or specific system/product component affected.
  • Step-by-step instructions to reproduce the vulnerability.
  • Proof-of-concept (e.g., scripts, screenshots, or video if helpful).
  • Estimated impact of the vulnerability.
  • Your contact information (unless you wish to remain anonymous, though providing contact details helps us in the process and enables us to give you public recognition, if desired).

4. What We Expect from You

We ask that you act responsibly and in good faith when researching and reporting vulnerabilities:

  • Report Promptly: Report the vulnerability to the designated e-mail address (encrypted) as soon as possible after discovery to minimize the risk of others finding and exploiting it.
  • Provide Sufficient Detail: Share enough information for us to understand and reproduce the issue.
  • Do No Harm:
    • Do not exploit the vulnerability beyond what is strictly necessary to demonstrate its existence; bear in mind the principle of proportionality. For example, do not download, modify, delete, or exfiltrate any data that is not your own. If you gain access to non-public data, stop your activity and report immediately. This principle of proportionality is also relevant when demonstrating the vulnerability itself. For example, if you can access the CRM that powers our website, screenshots showing the admin interface are sufficient – you do not need to deface the website. If you can obtain access to a database, it is typically sufficient to show us a list of the tables that are in there instead of dropping it.
    • Do not disrupt our services or systems (e.g., no DDos-attacks).
    • Do not contact any of our customers without discussing it with us first.
    • Do not engage in social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
    • Do not use automated vulnerability scanners that may generate high volumes of traffic without prior discussion with us.
  • Maintain Confidentiality: Do not disclose the vulnerability to others until we have had a reasonable opportunity to investigate and remediate it, or an agreed-upon disclosure timeline has been reached. You will delete all confidential information that you may have obtained from your research of us as soon as we have resolved the vulnerability.
  • Comply with Laws: Adhere to all applicable laws and regulations.

5. What You Can Expect from Coinmerce

We are committed to working with you in a fair and transparent manner:

  • Acknowledgement: We will acknowledge receipt of your report, typically within 3 business days.
  • Initial Evaluation & Timeline: We will provide an initial evaluation of the report and an expected timeline for remediation, typically within 5 business days. This timeline will depend on the complexity and severity of the vulnerability. For software vulnerabilities, we generally aim for resolution within approximately 60 days; for hardware, this may be longer. We will communicate any significant deviations from this timeline.
  • Confidentiality: We will handle your report with strict confidentiality. Your personal details will not be shared with third parties without your explicit permission, unless required by law.
  • Regular Updates: We will keep you informed of our progress in resolving the vulnerability.
  • Legal Action: If you conduct your vulnerability research and reporting in good faith and in accordance with this policy, Coinmerce commits not to take legal action against you concerning the creation of your report and sharing it with (exclusively) with Coinmerce. We consider activities conducted that fully adhere to this policy to constitute "authorized" conduct for the scope mentioned in the introduction.
  • Public Recognition (with your consent):
    • After the vulnerability is resolved, we are happy to publicly acknowledge your contribution, unless you prefer to remain anonymous. This may include mentioning your name or alias on our website, in a "Hall of Fame," or in release notes.
    • As a token of our appreciation, we may offer you a reward (such as swag, a gift certificate, or a monetary bounty) for reports of certain new (unknown to us), significant vulnerabilities. The nature and amount of the reward will be determined based on the severity, impact, and quality of the report.
  • Coordinated Disclosure: We will work with you to coordinate the public disclosure of the vulnerability after it has been remediated. We prefer to inform the wider IT community and crypto community if the vulnerability may be present elsewhere.

6. Communication

Clear and timely communication is essential for a successful CVD process.

  • During the process: We will endeavor to maintain open communication, providing updates on our progress and seeking clarification if needed. We expect you to respond to our queries in a timely manner as well.
  • Updates: This CVD policy may be updated from time to time. We will indicate the version and last updated date at the top of this policy. We encourage you to review it periodically. The latest version is maintained at: https://coinmerce.io/en/bug-found/.

7. Questions

If you have any questions about this policy or the CVD process, please contact us at [email protected].