# Fintual Bug Bounty Program We welcome and heartily thank your reports about vulnerabilities in our websites and applications; we focus on some specific issues more than others, so please read this policy before submitting a report. This policy was last updated on 20240529T112000-03 ## What is our platform about We offer an investing app that is completely online to users both in Chile and Mexico. Our users first create their pre-accounts by completing an investment simulation. Users that complete this simulation have to upload their ID documents to be considered full users. Before that, their accounts have not been validated, and do not actually contain any sensitive information. Only after they have uploaded their ID documents and we have validated their documents, users can invest. Our web platform can be reached at https://fintual.cl and https://fintual.mx, but we have other domains. We also offer an App for Android and iOS that can be reached at the corresponding official stores. ## Safe harbor Recently, the Chilean law concerning cybercrime (http://bcn.cl/32uaf) was updated to make it harsher against alleged offenders (and unfortunately security researchers). Despite this modification, we welcome and thank your good faith efforts at reporting vulnerabilities, misconfigurations, programming errors and the like in our platforms. To encourage responsible reporting, we will not take legal actions against you nor ask law enforcement to investigate you as long as you abide by these general rules: **do not leak our information**, **do neither modify nor delete our data**, and **do not degrade our service**. In other words: **don't be evil**. The following rules are hard rules: if you violate them, **we will** persecute you to the fullest extent of the law: - _No social engineering_: phishing, vishing, smishing, etc., are prohibited. - _No DDoS_: Don't DDoS us. - _Explicit and previous permission to use accounts_: Use only accounts you own. If you use an active account belonging to one of our clients, you must obtain their explicit permission before using it (unless of course you are one of our clients). ## Guidelines and scope - **Reports by email only**: Please submit your reports to security@fintual.com. If your report includes sensitive information (passwords, PII, pictures of people, etc.), please encrypt it using the GPG key below. - **Reproducible steps**: If the report is not detailed enough to reproduce the issue, we will label it as **incomplete** and we won't considering it any further. - **Reachable links**: If you include links to examples or further descriptions to illustrate the problem or vulnerability, please make sure that they are reachable. For example, don't assume that we will enter our hackerone or bugcrowd credentials to reach a specific link. - **Language**: We accept reports in english (preferred) and spanish. Most of us speak only two languages: English and Bad English :) - **Obsolete vulnerabilities**: reports about old-and-fixed vulnerabilities (e.g., tabnabbing) will not be considered for a reward, unless it is applied in a brand new way. We will consider reports about our web platform, DNS issues, TLS problems, online services, misconfigurations, or any and other kind of problems, that are associated or related to the following domains: - fintual.cl - fintual.mx - fintual.com - fintual.in - fintu.al - fnt.al The following domains or subdomains (and any services that are reachable from these) are out of the scope of this policy: - fintualist.com - store.fintual.cl ## Bounties **We** will determine the impact of your reported bug. Broadly speaking, these are the rewards that we give: | Business Impact | Bounty range [USD] | | ---------------- | ------------------ | | LOW | [100, 249] | | MEDIUM | [250, 999] | | HIGH | [1_000, 4_999] | | CRITICAL | [5_000, 9_999] | | MISSION CRITICAL | [10_000, beyond[ | If you discover something really serious (_mission critical!_), please contact us and let us know. **We are definitely open to bigger rewards if the problem you report is really serious**. Keep in mind that the we assess the bounty based not only on CVSS, but on actual/potential business impact. ## We are not interested in The following reports do not qualify for bounty, unless you provide enough evidence of an exploitable vulnerability: - Rate limiting non-sensitive endpoints - Best practices concerns without evidence of a real security vulnerability - Race conditions that don't compromise the security of our users, employees or business - Reports about theoretical damage without a real risk - The output of automated scanners without explanation and evidence of a security vulnerability - Missing cookie flags on non-security sensitive cookies - Attacks requiring physical or console access to a user's device - Missing security headers not related to a security vulnerability - Reports of insecure SSL/TLS ciphers unless you have a working proof of concept - Open ports without a vulnerability - Disclosure of known public files or directories, (e.g. robots.txt) - DNSSEC and DANE - HSTS or CSP headers - Host header injection without showing how a third-party can exploit it - Firebase `apiKey` in our websites (read their documentation!) - Missing DMARC/BIMI ## How we process your report 1. Send us your report to security@fintual.com. We will triage it; the result will be one of: - **Incomplete**: You did not provide enough data about the problem for us to be able to assess it or reproduce it. The report won't be considered any further. - **Not accurate**: We were not able to reproduce the problem, and we are mostly certain that what you reported is not accurate. The report won't be considered any further. - **Not reproducible**: We were not able to reproduce the problem because you did not include all the data. We will ask you to clarify or complete your report. - **Being fixed**: We were able to reproduce the problem, but another researcher reported it first and we are fixing it. The report won't be considered any further. - **Not to be fixed**: We were able to reproduce the problem, but we consider it minor or irrelevant, and we will not fix the problem. The report won't be considered any further. - **To be fixed**: We were able to reproduce the problem, and we will fix it. We will evaluate the impact of the problem, will make our best to fix it, and will ask the researcher to check whether the problem was indeed fixed or not. In this case, we will pay the researcher for her help. - Please be aware that **the decision of how impactful the bug is remains completely on us, not on you**. 2. If the result of the triage is either **Incomplete**, **Not accurate**, **Being fixed** or **Not to be fixed**, we will send you a single email to let you know and we won't consider the issue any longer. 3. If the result of the triage is **Not reproducible**, we will ask you to please clarify or include additional data to be able to reconsider your report. After receiving your message, we will triage it again. 4. If the result of the triage is **To be fixed**, we will prioritize the problem to be fixed in our platform. If you are from: - Chile: Te pediremos una boleta de honorarios, y tus datos de cuenta corriente para hacer una transferencia a tu cuenta. Debes enviar tu boleta de honorarios a bills@fintual.com. La boleta de honorarios debe ser hecha por el monto bruto equivalente en dólares, de acuerdo con la tasa de cambio observada el día que te enviemos el mensaje, tal como la publica el Servicio de Impuestos Internos (https://www.sii.cl) - Anywhere outside Chile: We will ask you for your paypal email, so we can make a transfer to your account. ## How long we will take We will take at most 5 business days since email reception to triage your report. If we accept your report, we may take up to 10 business days since we receive your payment data (but we usually take a lot less than that). For reports we accept, we may take longer to fix them, depending on criticality and priority. ## Other notes We have rate limiting rules configured to protect certain URLs. We often receive reports about using IP Rotate with Burp Suite, stating that you can produce a DDoS to the application level. Of course you can do that - and that's normal, there is no way one could "fix" this. Yes, we use captchas to keep automated traffic at a safe level. ## Contact data and links **Contact email**: security@fintual.com **Canonical**: https://fintual.com/.well-known/security.txt **Encryption**: https://fintual.com/pgp-key.txt **Acknowledgments**: https://fintual.com/hall-of-fame.txt **Preferred-Languages**: en, es **Policy**: https://fintual.com/security-policy.txt