Last modified on 31 July 2018 (Version 1.2)
1. Security Policy General
1.1. This security policy (hereinafter: “Security Policy”) is an integral part of the Terms provided by the Tokens.net platform and cannot, in any way, be separated from them. By using the Terms, you automatically agree with the Security Policy.
1.2. If there is any misalignment between the Security Policy and the Terms, the Terms shall prevail.
2. User’s Responsibility
2.1. The User is solely responsible for the safekeeping of account credentials (username, email, password) and any access keys such as API keys, two step authentication keys or any other credentials used to authorise or authenticate at the Platform.
2.2. You acknowledge that it is your responsibility to protect your credentials and email account against phishing. Neither the Platform nor the Operator assumes or accepts liability or responsibility for any loss or damage (whether direct or indirect), whatsoever, caused as a result of phishing emails, phishing websites, phishing advertisements or phishing through other channels. You shall promptly report any successful or failed attempts of phishing to the Operator.
2.3. For increased security measures, 2FA Identification may become mandatory to login into the Platform, and the User understands it may be required to obtain a compatible mobile device to be able to execute login using an application such as Google Authenticator or Authy.
2.4. The Operator may prompt you to change your credentials, if not regularly updated by you, and you are solely responsible to choose such that substantially differ from your other credentials (e.g. not using passwords that are the same as your social media profiles, emails, names or any kind of simplistic terms) and to limit access to your account by keeping them secure and confidential.
2.5. You shall take care that your computer is not compromised, and you must regularly monitor your computer performance, install appropriate antivirus software, avoid installing software from unknown sources, opening email attachments from unknown senders and avoid visiting risky websites (e.g. pornography, downloads, games, free applications). You are solely responsible to take all security precautions to prevent your computer from being hacked.
2.6. We cannot guarantee that all the information, programs, texts, etc. contained in the Platform are free from interference by malicious programs such as viruses, trojans, and other kinds of malware; therefore, your login to the Platform or use of any services offered by this Website, download of any program, information and data from the Platform and your use thereof are your personal decisions, and you shall bear any and all risks and losses that may possibly arise therefrom.
2.7. You shall immediately inform the Operator if you suspect any unauthorised use of your account or if your account credentials are compromised, lost or stolen.
2.8. You are liable to observe the security and authentication and any procedures whilst using the services of the Platform and timely inform the Operator of any suspicious activities or observations.
2.9. You shall immediately inform the Operator if you suspect any violations of the security rules. The Operator may provide you with instructions about how, even not being logged into the Platform, to initiate a temporary freeze of your account. The Operator may charge you for a temporary freeze or unlocking of your account on your request.
2.10. If the Operator detects any suspicious activity related to your Account, the Operator may request additional information from you, including verifying identification, or temporarily freeze transactions and logins until a review is conducted; the Operator is in no way obligated or required to do so, and it is subject to its sole discretion. The Operator shall not be liable or responsible for any loss incurred by the User as a consequence of conducting security measures.
2.11. You shall log out from the Platform after any use of a shared computer by taking proper steps at the end of the session, such as pressing logout and terminating the internet browser session.
2.12. You shall not use any device, software or subroutine to intervene or attempt to intervene in the normal operation of the Platform.
2.13. You shall not adopt any action that will induce an unreasonable amount of data to load onto the network equipment of the Operator.
2.14. As required to maintain system consistency intact, as well as the general order and security of transactions on the Platform, the Operator reserves the right to close relevant orders and take other actions in the case of any suspicion of a malicious sale or purchase or any other events disturbing the normal order of transactions on the market as well as unilaterally determine whether you have violated any of the covenants mentioned above and, according to such unilateral determination, apply relevant rules and take actions thereunder and temporarily or permanently terminate services to you, without your consent or prior notice to you. Any loss or costs arising from such actions shall be solely borne by the user.
3. Responsible Disclosure Policy
3.1. Responsible disclosure is a model that provides the Operator with a reasonable amount of time to fix the issue before publishing it elsewhere, not leaking or destroying any User data, not defrauding other Users or the Operator itself in the process of discovery.
3.2. In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem, provided they do their best to follow the above guidelines.
3.3. Rewards may be paid out to the account of researchers who report previously unknown security vulnerability of sufficient severity. There is no minimum or maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.
3.4. The Operator reserves the right to decide if the bug is real and serious enough for the researcher to receive the bounty. As a framework for reference, please consider the following list of things we want to know about: XSS, CSRF, authentication bypass or privilege escalation, remote code execution, obtaining sensitive User information, accounting errors, unjust enrichment via a software issue. The following are not of interest to us: denial of service, spamming, rate limiting on login or password recovery forms, misconfigured SPF, DKIM or DMARC records, vulnerabilities in software not hosted or not operated by the Operator.
3.5. Use of automated injection scanners, filename fuzzers and similar scanning techniques disqualifies you from bug bounties and is deemed malicious. Such examples are: non-targeted scans using Acunetix, Sqlmap, Wfuzz, Meg, Dirbuster or similar software. Any such attempts may also restrain your connectivity and/or accessing the Platform.
3.6. You can disclose a vulnerability by contacting us directly by email, and please include: code which reproduces the issue, a detailed description and the potential impact of your bug along with your username for potential pay-out.