Your Security is Our Priority
At Decentro, we take the security of your financial data and personal information seriously. We employ robust security measures to protect your assets and ensure a safe and secure environment for all your financial transactions.
We work diligently to stay ahead of emerging threats and vulnerabilities. However, we also recognize the importance of a collective community effort to maintain the highest level of security. In case any security researcher or a member of the general public identifies any vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such vulnerabilities with urgency, and if they want, publicly acknowledge their contribution. Decentro reserves all the rights to validate whether the reports are valid or not on the basis of the impact of the vulnerability.
Your contribution to our security is valued and plays a vital role in the continuous improvement of our services. Thank you for helping us maintain a safe and secure financial ecosystem.
To be eligible for recognition, you must
- Be the first person to disclose the bug responsibly.
- Report a bug that could compromise our users’ private data, circumvent the system’s protections, or enable access to a system within our infrastructure.
Scope
Decentro - Website Link
Out of Scope
- authmanager.decentro.tech
- base.decentro.tech
- dashboard.decentro.tech
- docs.decentro.tech
- in.decentro.tech
- monitoring.decentro.tech
- partner.decentro.tech
- ping.decentro.tech
- postman.decentro.tech
- rule.decentro.tech
- rule-engine.decentro.tech
- sea.decentro.tech
- sentry.decentro.tech
- strapi.decentro.tech
- utils.decentro.tech
Reporting Exclusions
- Vulnerabilities found through automated testing
- “Scanner output” or scanner-generated reports
- Publicly released CVE’s or 0-days in internet software within 90 days of their disclosure
- “Advisory” or “Informational” reports that do not include any Decentro testing or context
- Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
- Denial of Service attacks
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content Spoofing
- Vulnerabilities relating to Password Policy
- Full-Path Disclosure on any property
- Version number information disclosure
- Third-party applications on the Decentro Application directory (identified by the existence of a “Report this app” link on the app’s page). Please report vulnerabilities with these services to the creator of that specific application.
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities
- CSRF-able actions that do not require authentication (or a session) to exploit
- Reports related to the following security-related headers
- Strict Transport Security (HSTS)
- XSS mitigation headers (X-Content-Type and X-XSS-Protection)
- X-Content-Type-Options
- Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Bugs that do not represent any security risk
- Security bugs in third-party applications or services built on the Decentro API – please report them to the third party that built the application or service
- Security bugs in software related to an acquisition for a period of 90 days following any public announcement
- HTTP TRACE or OPTIONS methods enabled
- Non-sensitive (i.e., non-session) cookies missing the Secure or HttpOnly flags
- Tap jacking
- Mobile client issues require a rooted device and/or outdated OS version or SSL pinning issues.
- Subdomain takeovers without supporting evidence
- Missing best practices in SSL/TLS configuration.
- The Vulnerabilities that cannot be used to exploit other users or Decentro — e.g., self-XSS or having a user paste JavaScript into the browser console.
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
Rules of Engagement
At Decentro, we value your assistance and dedicating time in maintaining the security and functionality of our platform. If you've discovered a bug or vulnerability, we appreciate your responsible disclosure and adherence to these rules of engagement:
- Verify the Issue: Before reporting a bug, please ensure that local configurations, browser settings, or user errors do not cause the issue. Verify that it is a genuine platform bug.
- Confidentiality: If you discover a security vulnerability, ensure it remains confidential. Do not disclose it publicly or to other individuals.
- Report Promptly: Please report the bug or vulnerability to us as soon as possible after discovery. This allows us to address it quickly.
- Responsible Disclosure: Follow responsible disclosure practices. Allow us a reasonable amount of time to fix the issue before disclosing it to others.
- Provide Details: When reporting a bug, be thorough in your description. Include details such as the steps to reproduce the issue, the environment (e.g., browser and device), and any relevant screenshots or error messages.
- Report to the Right Channel: Use the designated bug reporting channels provided by Decentro for reporting issues. Do not contact individual employees directly for security-related matters.
- Legal Compliance: Your bug reporting should be in compliance with all applicable laws and regulations.
Types of Recognition
We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures,
- We provide exclusive Decentro goodies as a token of appreciation.
- We would also be glad to publicly acknowledge your contribution in the “Hall of Fame” section on our website. Of course, this will be done if you want a public acknowledgement.
Reporting a Security Vulnerability
If you have discovered a security vulnerability or a bug within our platform, we encourage you to report it immediately. Your responsible disclosure of security issues helps us to address and rectify them promptly.
Reporting Process:
If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:
- Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
- If possible, share with us your contact details (phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
- If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
- While we appreciate the inputs of White-Hat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
- Bug Bounty Program:
- OpenBugBounty
Responsible Disclosure Guidelines
We expect you to adhere to the following guidelines when reporting a security vulnerability:
- Act Ethically: Do not exploit the vulnerability for personal gain, and do not disclose the issue publicly until it has been resolved.
- Provide Sufficient Information: Include enough details in your report to help our security team understand and reproduce the issue.
- Respect User Privacy: Do not access, modify, or delete user data. Only interact with your own accounts for testing.
- No Malicious Actions: Do not perform any actions that may disrupt the availability or integrity of our services.
- Legal Compliance: Ensure your actions comply with all applicable laws and regulations.
Hall of Fame
Decentro thanks & congratulates the following people for finding & responsibly disclosing security vulnerabilities in our environment. We are grateful for their contribution & efforts towards the security of Decentro
Join our Bug Bounty program and become a part of our security journey.