I think I've found a bug in your software. Is there a "bug bounty" program?
Despite our concern for the security of our systems during product development and maintenance, there's always the possibility of someone finding something we need to improve / update / change / fix /
We would sincerely appreciate it if you would notify us as soon as possible if you think you have discovered a weakness or flaw in our platform so that we can take immediate measures to protect our customers and their data.
How to report
If you believe you found a security issue in one of our systems, please notify us as soon as possible via the Xumm Support xApp in Xumm or by scanning this QR code:
This article is part of our responsible disclosure policy and is not an open invitation to actively scan our network and applications for vulnerabilities. Our continuous monitoring will likely detect your scan and these will be investigated.
- Not share information about the security issue with others until the problem is resolved and to immediately delete any confidential data acquired
- Not further abuse the problem, for example, by downloading more data than is necessary in order to demonstrate the leak or to view, delete or amend the data of third parties
- Provide detailed information in order for us to reproduce, validate and resolve the problem as quickly as possible. Include your test data, timestamps and URL(s) of the system(s) involved
- Leave your contact details (e-mail address and/or phone number) so that we may contact you about the progress of the solution. We do accept anonymous reports
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties
- You will receive a confirmation of receipt from us within 1 working day after the report was made
- You will receive a response with the assessment of the security issue and an expected date of resolution within 4 working days after the confirmation of receipt was sent
- We will take no legal steps against you in relation to the report if you have kept to the conditions as set out above
- We will handle your report confidentially and we will not share your details with third parties without your permission, unless that is necessary in order to fulfil a legal obligation
- Website unavailable reports
- Phishing reports
- Fraud reports
XRPL Labs (XUMM) encourages the reporting of security issues or vulnerabilities. We may make an appropriate reward for confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users' data that was not yet known to us. We decide whether the report is eligible and the amount of the reward.
- (D)DOS attacks
- Error messages or error pages without sensitive data
- Tests & sample data as publicly available in our repositories at Github
- Common issues like browser header warnings or DNS configuration, identified by vulnerability scans
- Vulnerability scan reports for software we publicly use
- Security issues related to outdated OS's, browsers or plugins
- Reports for security problems that we have been notified of before
Please note: Reports that are lacking any proof (such as screenshots or other data), detailed information or details on how to reproduce any unexpected result will be investigated but will not be eligible for any reward.
This policy is based on the National Cyber Security Centre’s Responsible Disclosure Guidelines and an example by Floor Terra.
For more information, you can find a copy of our Responsible Disclosure Policy on our website.
Just scroll down to to the very bottom of the screen.
We understand that you might have additional questions regarding this topic so you are welcome to contact us any time via the Xumm Support xApp in Xumm or you can simply scan this QR code with Xumm and be directed there automatically.