Bug Bounty Program

Eucalyptus Labs believes in better security through openness.

We welcome and value technical reports of vulnerabilities that could substantially affect the confidentiality or integrity of user data on our apps or the security of our infrastructure.

If you believe that you have discovered such a vulnerability, please responsibly disclose it at the email address provided in the Submission Process section below. The Eucalyptus Labs team will work with you to investigate, resolve the issue promptly, and reward the first reporter of a vulnerability.

Eligibility

Eucalyptus Labs Bug Bounty Program covers our apps, our web pages, our web services, and our infrastructure. In a nutshell, we are interested in real vulnerabilities, not in the output of automated scanners. Due to a large number of emails received, we might not be able to respond to all reports for out-of-scope vulnerabilities.

Mobile App Bug Bounty Program

We are mainly interested in vulnerabilities that would eventually allow attackers to compromise wallets and/or crypto assets from Eucalyptus Labs apps.

These vulnerabilities are in-scope:

• 1. Bypass of the PIN or biometrics, excluding functionality provided natively by the operating system
• 2. Bypass of user confirmation to sign a transaction
• 3. Sensitive data leaks via memory access, network traffic, local device storage, etc.
• 4. Dependency tree a.k.a. supply chain attacks
• 5. Cryptography vulnerabilities related to BIP-39/32/44 derivation and elliptical curves

These vulnerabilities are out-of-scope:

• 1. Unencrypted Firebase service tokens.

Web Bug Bounty Program

We are interested in critical vulnerabilities in our infrastructure including front and backend.

These vulnerabilities are out-of-scope:

• 1. Presence/absence of SPF/DMARC records.
• 2. Lack of CSRF tokens.
• 3. Clickjacking and tabnagging issues.
• 4. Missing security headers that do not lead directly to a vulnerability.
• 5. Missing best practices (we require evidence of a security vulnerability).
• 6. Reports from automated tools or scans.
• 7. Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
• 8. Absence of rate limiting.
• 9. Outdated software without any noteworthy vulnerability.
• 10. Broken links.
• 11. Vulnerabilities in 3rd parties’ services, i.e. Zendesk, Twitter. etc. (report directly to them)

Responsible Disclosure Policy

We believe that coordinated vulnerability disclosure is the right approach to better protect users. When submitting a vulnerability report, you enter a form of cooperation in which you allow Eucalyptus Labs the opportunity to diagnose and remedy the vulnerability before disclosing its details to third parties and/or the general public.

In identifying potential vulnerabilities, we ask that all security researchers stick to the following principles:

• 1. Do not engage in testing that:
  • - Degrades Eucalyptus Labs information systems and products.
  • - Results in you, or any third party, accessing, storing, sharing, or destroying Eucalyptus Labs or user data.
  • - May impact Eucalyptus Labs users, such as denial of service, social engineering, or spam.
• 2. Do not exploit vulnerabilities in our infrastructure. The Bounty Program is about improving security for Eucalyptus Labs users, not deliberately trying to put the community at risk.

Submission Process

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue or a working proof-of-concept.

Low-quality reports, such as those that include inadequate information to investigate, may incur significant delays in the disclosure process, which is in nobody’s interest. Please only submit one report per issue.

All communications between you and Eucalyptus Labs should go through the process outlined here.

To submit your bounty information, please use security - at - eucalyptuslabs.com.

Remediation & Disclosure

Eucalyptus Labs will be in touch, usually within 24 hours. After triage, we will send a quick acknowledgment and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it. You may receive updates with significant events such as the validation of the vulnerability, requests for additional information, or your qualification for a reward.

Bug reporters allow Eucalyptus Labs the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.

Reward

You may be eligible to receive a reward if:

1. 1. You are the first person to submit a given vulnerability;
2. 2. That vulnerability is determined to be a valid security issue by the Eucalyptus Labs Security Team;
3. 3. You have complied with the Eucalyptus Labs Bug Bounty program policy and guidelines.

The decision to grant a reward for the discovery of a valid security issue is at Eucalyptus Labs’ sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your submission report, ease of exploitation, and overall risk for Eucalyptus Labs' users and brand.

Bounties will be paid directly to the researcher in Bitcoin. Payment will require meeting KYC requirements.

You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

To be eligible for a reward, you must not:

1. 1. Be a resident of, or make your vulnerability submission from, a country against which the USA has issued export sanctions or other trade restrictions,
2. 2. Be in violation of any national, state, or local law or regulation,
3. 3. Be employed by Eucalyptus Labs or its subsidiaries or affiliates,
4. 4. Be an immediate family member of a person employed by Eucalyptus Labs or its subsidiaries or affiliates,
5. 5. Be less than 18 years of age. If you are under 18 years old or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.

Public Acknowledgement

In mutual consultation, we can, if you desire, display a researcher’s name or its pseudonym as the discoverer of the reported vulnerability on our website.