Last Modified: March 10, 2021
At ShapeShift, we take security seriously. We encourage independent security researchers to contact us in order to privately report security vulnerabilities or issues. The information on this page is intended for those security researchers that are interested in reporting security vulnerabilities directly to the ShapeShift security team.
The way in which you disclose the vulnerability to us and the public is important. Please take care to comply with each of the following points:
• Disclosure reports that you submit to ShapeShift must include enough details, descriptions, and/or examples so that the issue can be re-created by ShapeShift staff.
• All vulnerabilities must be disclosed in a way that minimizes harm to ShapeShift’s users, partners, and systems. This requires strict confidentiality until the vulnerability is mitigated.
• Details about the vulnerability must not be disclosed publicly until ShapeShift has confirmed to you in writing that its users and infrastructure are protected from harm.
• All details about your research, testing, and methodology for discovery should be disclosed honestly and professionally to ShapeShift staff without reservation, even the facts you feel may be cast in a negative light.
• You must comply with all applicable federal, regional, and local laws in connection with your security research activities, or other participation in this Responsible Disclosure Program.
• You must communicate and work with ShapeShift staff to assist ShapeShift in mitigating the vulnerability and testing the mitigation.
• Disclosures that do not fully comply with this program will not be eligible for any bounties, or any of the other assurances discussed below.
If you adhere to the disclosure guidelines above, ShapeShift promises the following:
• ShapeShift will calculate a bounty that is commensurate with the impact and exploitability of the vulnerability, as well as the manner in which the vulnerability was disclosed to us.ShapeShift retains the exclusive right in its sole and unfettered discretion to assign bounties to disclosed vulnerabilities.
• To receive a bounty, you must reside in a country not on sanctions lists (e.g., Crimea, Cuba, Iran, North Korea, Sudan & Syria).
• ShapeShift will work with you to ensure responsible disclosure of the vulnerability to the public. Depending on your wishes and the circumstances, this may include the publication of blog posts on our blog, hyperlinking to articles or blog posts on your website, mentions in social media, and/or public recognition of your responsible disclosure on this web page.
• ShapeShift will not pursue any legal action against you or your company for unlawful access of computer systems, accessing confidential information, or damages to ShapeShift systems as a result of the vulnerability that was disclosed in accordance with ShapeShift’s Responsible Disclosure Program.
There are some types of issues that ShapeShift does not consider vulnerabilities.
These issues, which are not covered by this program, are listed below:
• Denial of Service (DoS) Attacks that leverage high volumes of trafficSpamming / Phishing
• Non-critical findings from automated vulnerability scanners
• Social Engineering of ShapeShift personnel
• Physical attacks on ShapeShift offices and assets
• Third party applications and websites that are used by ShapeShift (i.e. ZenDesk, WordPress, etc.)
How to Report Security Vulnerabilities
If you would like to disclose a vulnerability to ShapeShift, we encourage you to submit a report through our helpdesk using the provided form found here.
Alternatively you can send a report to firstname.lastname@example.org with the word [VULNERABILITY] in the subject line. However, it is important that the email contains the following information:
- Your email address
- Subject line [Vulnerability]
- Summary of the vulnerability
- Affected system(s) or URLImpact/Analysis
- Steps to Reproduce
- Any attachments or proof of concept material
Failure providing any of the above information may result in slower response times and may affect the calculated bounty reward if the report is deemed qualified for a bounty.
Please include the following information in your email:
Your name, nickname, handle, or what you’d like to be called while we communicate with you. The date/time you first identified the vulnerability. How you identified the vulnerability. As much detail about the vulnerability as you can.How many times you leveraged the vulnerability during your testing (and if applicable, a list of each test you performed). Any additional information you feel may be pertinent.If you would like to encrypt your vulnerability report, you can use the following GPG key:
It was a privilege to work with the following researchers who collaborated with us to disclose vulnerabilities in a safe and responsible manner:
- Erik Voorhees, ShapeShift CEO