Security Policy

Last modified on 8 October 2018 (Version 1.3)
1. Security Policy General
1.1. This security policy (hereinafter: “Security Policy”) is an integral part of the Terms provided by the Tokens.net platform and cannot, in any way, be separated from them. By using the Terms, you automatically agree with the Security Policy.
1.2. If there is any misalignment between the Security Policy and the Terms, the Terms shall prevail.
2. User’s Responsibility
2.1. The User is solely responsible for the safekeeping of account credentials (username, email, password) and any access keys such as API keys, two step authentication keys or any other credentials used to authorise or authenticate at the Platform.
2.2. You acknowledge that it is your responsibility to protect your credentials and email account against phishing. Neither the Platform nor the Operator assumes or accepts liability or responsibility for any loss or damage (whether direct or indirect), whatsoever, caused as a result of phishing emails, phishing websites, phishing advertisements or phishing through other channels. You shall promptly report any successful or failed attempts of phishing to the Operator.
2.3. For increased security measures, 2FA Identification may become mandatory to login into the Platform, and the User understands it may be required to obtain a compatible mobile device to be able to execute login using an application such as Google Authenticator or Authy.
2.4. The Operator may prompt you to change your credentials, if not regularly updated by you, and you are solely responsible to choose such that substantially differ from your other credentials (e.g. not using passwords that are the same as your social media profiles, emails, names or any kind of simplistic terms) and to limit access to your account by keeping them secure and confidential.
2.5. You shall take care that your computer is not compromised, and you must regularly monitor your computer performance, install appropriate antivirus software, avoid installing software from unknown sources, opening email attachments from unknown senders and avoid visiting risky websites (e.g. pornography, downloads, games, free applications). You are solely responsible to take all security precautions to prevent your computer from being hacked.
2.6. We cannot guarantee that all the information, programs, texts, etc. contained in the Platform are free from interference by malicious programs such as viruses, trojans, and other kinds of malware; therefore, your login to the Platform or use of any services offered by this Website, download of any program, information and data from the Platform and your use thereof are your personal decisions, and you shall bear any and all risks and losses that may possibly arise therefrom.
2.7. You shall immediately inform the Operator if you suspect any unauthorised use of your account or if your account credentials are compromised, lost or stolen.
2.8. You are liable to observe the security and authentication and any procedures whilst using the services of the Platform and timely inform the Operator of any suspicious activities or observations.
2.9. You shall immediately inform the Operator if you suspect any violations of the security rules. The Operator may provide you with instructions about how, even not being logged into the Platform, to initiate a temporary freeze of your account. The Operator may charge you for a temporary freeze or unlocking of your account on your request.
2.10. If the Operator detects any suspicious activity related to your Account, the Operator may request additional information from you, including verifying identification, or temporarily freeze transactions and logins until a review is conducted; the Operator is in no way obligated or required to do so, and it is subject to its sole discretion. The Operator shall not be liable or responsible for any loss incurred by the User as a consequence of conducting security measures.
2.11. You shall log out from the Platform after any use of a shared computer by taking proper steps at the end of the session, such as pressing logout and terminating the internet browser session.
2.12. You shall not use any device, software or subroutine to intervene or attempt to intervene in the normal operation of the Platform.
2.13. You shall not adopt any action that will induce an unreasonable amount of data to load onto the network equipment of the Operator.
2.14. As required to maintain system consistency intact, as well as the general order and security of transactions on the Platform, the Operator reserves the right to close relevant orders and take other actions in the case of any suspicion of a malicious sale or purchase or any other events disturbing the normal order of transactions on the market as well as unilaterally determine whether you have violated any of the covenants mentioned above and, according to such unilateral determination, apply relevant rules and take actions thereunder and temporarily or permanently terminate services to you, without your consent or prior notice to you. Any loss or costs arising from such actions shall be solely borne by the user.
3. Responsible Disclosure Policy
3.1. Responsible disclosure is a model that provides the Operator with a reasonable amount of time to fix the issue before publishing it elsewhere, not leaking or destroying any User data, not defrauding other Users or the Operator itself in the process of discovery.
3.2. In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem, provided they do their best to follow the above guidelines.
3.3. Rewards may be paid out to the account of researchers who report previously unknown security vulnerability of sufficient severity. There is no minimum or maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.
3.4. The Operator reserves the right to decide if the bug is real and serious enough for the researcher to receive the bounty. As a framework for reference, please consider the following list of things we want to know about: XSS, CSRF, authentication bypass or privilege escalation, remote code execution, obtaining sensitive User information, accounting errors, unjust enrichment via a software issue. The following are not of interest to us: denial of service, spamming, rate limiting on login or password recovery forms, misconfigured SPF, DKIM or DMARC records, vulnerabilities in software not hosted or not operated by the Operator.
3.5. Use of automated injection scanners, filename fuzzers and similar scanning techniques disqualifies you from bug bounties and is deemed malicious. Such examples are: non-targeted scans using Acunetix, Sqlmap, Wfuzz, Meg, Dirbuster or similar software. Any such attempts may also restrain your connectivity and/or accessing the Platform.
3.6. You can disclose a vulnerability by contacting us directly via email at security@tokens.net. Please include: code which reproduces the issue, a detailed description and the potential impact of your bug along with your username for potential pay-out. We recommend using PGP to ensure secure delivery of reported vulnerabilities. You can use the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFttoLIBEAC7faA+Kaxkjcl+xPlb107CkQrWqsfYqnH31LumAjmjH8Hm6ZXk
onsyQPeCXDbwkANhdjViqHnCti2qierbFhVK302BUcfZPF3JDKZS6ZYXtOW8d+wA
+CwF4hbrP2GBNN1ZWqgwlB9BK7VxHFViRU4dmgd2OhnmPuHb0oHOcmNv+D5T2kqs
gY6KHja/diJ5aaTMm0c9XmMBYfyPOfi1UPgHzckOz4yHiYsjbSEKGAsaWvYjEipz
3FQMjBmQ1/05eZ3tlOzYwAQ7OcL9f4NXDENi9GxwpmAapjaFHcHlRTyGP4wbT7RQ
LvY7bI0d/OSNzddbusYxvhLGxNhZPBzp0aSLAartNqay8ulUcyUVuzA96tguum5u
pUGppSCwIxwmvNliEnZqVlEeHV8HeTha7ABp0GelMMbczTw0/3JumLk1JuYGf1bD
izqM2YRZxvwogJVb5KZ58/vmq38dLBhpQjNUWN1MmklJwQCV+lVmyLrVwCI4LsJ5
8H9WcjjUipWdEt4f2H7rjdDd70o1EVK/0B78dkcwJf24jaJ+VlPQBwdW+5JpmedP
M9YVo7Ylka6EQDQDtBuJ3TY4G/3CB4M3WB+N/hBP/tZVyJbHcUtEm7LbVHACdtW5
EfXjNSv0z3C8OxLuHNwD+eVjPx2ZyBUbA7dJ7gs7xTrDuCYQAm5acSMPewARAQAB
tCdUb2tlbnMgU2VjdXJpdHkgPGx1a2EucHVzaWNAdG9rZW5zLm5ldD6JAlQEEwEI
AD4WIQSHTs5meewQV5ql+X6g7TqfB8yZRAUCW22gsgIbAwUJB4YfgAULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRCg7TqfB8yZRJkiD/4zyGyij7O1wZPCLXdeip0v
gPfmqjhlnpt7jA/Wd5mrR1MdZ4Ze3T2xWJJ/Ngl1QXg69HO/iJsbBG19xTfTsWVs
UKYIZlxwu0IiMyies6FMOLMxZLRUXfAjjm+Vd8bDvlGmrZrFqbxliOgkPrKSx2OH
xQQuv7feB+xF4U1ubYwHuYzbUNE618VeSBzwObiY4uPrCg/XrviJYWAlXu3u/mk/
0nAuOq6yeWjx30QyXo1m9vytgbworaGTeCMh3VrJMaAZN9K8yVy+V9lgYxpX8UQ7
P19Ji54XcYe90uB3yP328oguBqVM1l4BfxRxj1JRRyRT9l3LhhD9bP9H44oL520d
DewxiPRzB40YHsEGtr0498nNLR4swbs2M5kGpW7oCZnr1KgUF/7NxYMfXG4BsWVZ
Bgz+KdSPeKlJK1lg/pAo4Z3gmBTjf8i16HK99PmQiKIvAR8906MonO/+XiHom2nx
BUuIWXpQc4WbcqsaJcLDJQTR/Gtj2MRVYrpswwvX0UzHWrUX03cKniESNhW4RnbT
KIAAmHI2y06XCU0DosEoR2r5nlbniVfh270UmiJiVW8Kd4q9qa6ePbbofTXpvLW+
EakfPceFPI6ihbc03NoUlmGMAbh65F5tlanTU7jKwCSA3UONfWja5EtFmXNOhIG+
GfUj1WzO4i7ti1HodU6/67kCDQRbbaCyARAAx7ncCZjfYaYHHQMfEU3jlmM+33FW
1/haTTPl3bCEy1c+glCmtbuBFwi2cUSmVsQ58rF6vVMJsrJGx++wSyOMyIcFZ9lh
P5xU+n7/AZXApU//BQfrGVQG4Z2agNnUUip5sGH6eFsOQvIyGTQia66rZ3h+G4T3
cir/3k0kqpYZQMOD4LgtnJAiDz5oJw0XgPUDaACLlb+Gjaxyq1ndu3W03VdfSWzs
s5PBheUkwLv3pO9d3MxzuePYZhwDbo7GAzoafZnRKtMu4Mle5OrdCrHc5+4awY9P
JrFUVQFinaolTjQq6DizQiv3SawQBWYWjZnD9uB9cR54c7FzCI/2wb2nB6izlXy6
MgWV3l7n3sV0cHNV91bEsiy9tzqZ83MnGtnLVO5Tqh/vozLK460Bqn/aThbWG6q/
ERTcRQPXp3wYYNPz+zeJ5VeuOqpLudiVI0qt1sapn7mgCEe9e8iDAUpdNskxMzE7
20PUHDCPz4ZzYxsJTy7hKgVnjcwn2piMc1dcAxIPYMFSDZW5YcZFCCtldfn0OJUI
WdKk1pFb/pyv5ErpDZEHAygc5isqEHNBRGoeJwrYAHlHjyIjY0Y3/BJfH+Wn3qeW
SXFEimtDQs3JZpWhTbNkZ4R/Rxoqg6IP+PgpXMOOR1G7Nla5SdaPTEBs828Rc0bJ
A4q2zcJMnfki1KcAEQEAAYkCPAQYAQgAJhYhBIdOzmZ57BBXmqX5fqDtOp8HzJlE
BQJbbaCyAhsMBQkHhh+AAAoJEKDtOp8HzJlE0bQQAJeB9PaeflXRcYfOaMJE4kxl
CjhdHpT+S9eezgyxFahqutRPT9ItHR94vQDvq/VCkMdxTf4QtodyxIzhEiY8rV8h
Hny3k78ZGWFGh9JooMKr2mA3vBZPrbthLRwE6aHrVlsz/qQXbeiE2KgTA+DsjCr3
wVQjOm7pRuqcVgi0BflFDGm49IKU53aSAwTakEBsPfLDqyiAqe+czySbpKRG/L7X
WFvY9rgo08sSAwK8mCtqpy8/13B73pm8jHCt+uA1yT99yRxocd6UC5mp352NE95j
hLY05kViMDIrF9aWI9exSzWecCweMZ4gRSef3KKMkDHakLN1/161nivSOU0+OYh4
YTEnPjkXEgciBRiUAI2jjFN6lMvjtX5doJkVfFKNrkEs6Mep9vPOo+N8N6LyElKm
qkR5bCnfW2BuJtYRlcM2FM8LOdxgq/VQ4QlrClS7Fs2X/DryV1DZCvMnOFOprqVd
AuVHfOjqsOV3T1cMCpwS2hxkb+HvzQpxSW4I6cVvsrPafBSnwd1Lj4qVbLg5XE94
8TqyTVVoHx878py+Q+inXHwsx1zD4t32WCFULy2AbBwCpYIq/k/R9DfAAVfsDl3C
gVKLLE9G81vzJrXeLobWnY6sy+FAUXr9R8vvrrrIMQNiVu8BR7sSOT0mon6u2ic9
TAlCPtQyqosDaOZf/Npb
=Dv1B
-----END PGP PUBLIC KEY BLOCK-----