Vulnerability Rewards Program (VRP)

Our team is continually looking for ways to improve upon our high security standards. Despite the greatest efforts, we acknowledge the possibility that our experts may have missed a bug in our system potentially exposing a threat to security. Should you find a vulnerability in our system, we invite you to contact us for compensation through our Vulnerability Rewards Program and recognition on our Wall of Fame.

Conscientious Examination and Disclosure

To be eligible for consideration in our VRP please consider the following:

  • Do not interfere with or violate the privacy of our clients, destroy data and/or interrupt our services;
  • While investigating the vulnerability, we ask you only target your own accounts, not those of our other clients;
  • Leave our physical security measures and do not attempt any spam, DDoS attacks or social engineering hacking; and
  • Disclose the vulnerability only to NDAX and not to a third party.

We kindly request you investigate and report bugs in a way that makes a reasonable, fair and good faith effort to not be disruptive or harmful to NDAX or our clients. Otherwise, your actions may be interpreted as an attack rather than an effort to be helpful.

Eligibility

Security issues that pose a substantial exposure to our site security or trading interface may be entitled for remuneration. All prizes are given at the discretion of NDAX’s management team. Some examples of eligible security issues may include:

  • Authentication Bypass;
  • Clickjacking;
  • Code Injection;
  • Cross Site Request Forgery;
  • Cross Site Scripting;
  • Leakage of Sensitive Data;
  • Privilege Escalation;
  • Remote Code Execution.

Ineligibility

We do not reward the following:

  • Vulnerabilities previously known to NDAX, or previously reported by a third party (where there has been a prize awarded);
  • Vulnerabilities that have not been conscientiously examined and conveyed to NDAX;
  • Vulnerabilities dependent on physical attack, social engineering, spamming, DDoS attack, etc;
  • Vulnerabilities affecting out-of-date or unpatched browsers;
  • Vulnerabilities on third party sites unless they lead to a vulnerability on NDAX’s main site;
  • Problems that are not replicable; and
  • Problems that we may not rationally be expected to do anything about.

Compensation

We reward a minimum of $100 CAD in BTC for any eligible vulnerability. The more serious the vulnerability, the greater the prize. However, rewards remain subject to NDAX’s discretion.

How to Report a Vulnerability

  • Email your vulnerability report to [email protected]
  • Please include as much information in your report as possible, including a description of the vulnerability, it’s potential impact, and steps for reproducing it or a proof of concept.
  • Should you wish, include your name and link as you would like it to appear on our Wall of Fame.
  • Include your BTC address for payment.
  • Please allow 2 business days for a response from NDAX.

Wall of Fame

Nobody has reported any vulnerabilities yet.