# Fintual Bug Bounty Program This file describes the bug bounty program at Fintual. Please read it carefully before submitting a report. ## Project description We offer a completely online investment service to users both in Chile and Mexico. Our users first create their pre-accounts by playing with an investment simulator. If they understand and like our service, they will complete the onboarding process by providing their personal data and allowing us to verify their identity. Our web platform can be reached at https://fintual.cl and https://fintual.mx. We also offer an App for Android and iOS that can be reached at the corresponding official stores. ## Disclosure policy We welcome and thank your good faith efforts at reporting vulnerabilities, misconfigurations, programming errors and the like. To encourage responsible reporting, we will not take legal actions against you nor ask law enforcement to investigate you as long as you abide to the following rules: DO NOT LEAK OUR INFORMATION, DO NEITHER MODIFY NOR DELETE OUR DATA, AND DO NOT DEGRADE OUR SERVICE. ## Rules - *Language*: We accept reports in english (preferred) and spanish. We won't accept reports in any other language. - *Email only*: We accept reports sent to the point of contact below only. - *Don't be evil*: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. - *Encrypted reports*: If your report includes sensitive information (passwords, PII, pictures of people, etc.), please encrypt your report before submitting it with the PGP key linked below. - *Reproducible steps*: If the report is not detailed enough to reproduce the issue, we will label it as **incomplete** and stop considering it any further. - *Reachable links*: If you include links to examples or further descriptions to illustrate the problem or vulnerability, - *One vulnerability per report*: unless you need to chain vulnerabilities to provide impact. - *We don't provide any information about our platform but the one contained in this policy*. In particular, *we don't provide information about other bug reports, other researchers, nor about any other aspects of our platform*. ## Process 1. You send a report to the email indicated below in the section "Contact data and links". We will not accept reports sent to us by any other means. 2. We will triage your report. The result of the triage is one of the following: - **Incomplete**: You did not provide enough data about the problem for us to be able to assess it or reproduce it. The report won't be considered any further. - **Not accurate**: We were not able to reproduce the problem, and we are mostly certain that what you reported is not accurate. The report won't be considered any further. - **Not reproducible**: We were not able to reproduce the problem because you did not include all the data. We will ask you to clarify or complete your report. - **Being fixed**: We were able to reproduce the problem, but another researcher reported it first and we are fixing it. The report won't be considered any further. - **Not to be fixed**: We were able to reproduce the problem, but we consider it minor or irrelevant, and we will not fix the problem. The report won't be considered any further. - **To be fixed**: We were able to reproduce the problem, and we will fix it. We will evaluate the impact of the problem, will make our best to fix it, and will ask the researcher to check whether the problem was indeed fixed or not. In this case, we will pay the researcher for her help. Please be aware that **the decision of how impactful the bug is remains completely on us, not on you**. 3. If the result of the triage is either **Incomplete**, **Not accurate**, **Being fixed** or **Not to be fixed**, we will send you a single email to let you know and we won't consider the issue any longer. 4. If the result of the triage is **Not reproducible**, we will ask you to please clarify or include additional data to be able to reconsider your report. After receiving your message, we will triage it again. 5. If the result of the triage is **To be fixed**, we will prioritize the problem to be fixed in our platform. If you are from: * Chile: Te pediremos una boleta de honorarios, y tus datos de cuenta corriente para hacer una transferencia a tu cuenta. Debes enviar tu boleta de honorarios a bills@fintual.com. La boleta de honorarios debe ser hecha por el monto bruto equivalente en dólares, de acuerdo con la tasa de cambio observada el día que te enviemos el mensaje, tal como la publica el Servicio de Impuestos Internos (https://www.sii.cl) * Anywhere outside Chile: We will ask you for your paypal email, so we can make a transfer to your account. ## Service-level agreements Time to triage: 5 business days since email reception Time to pay reward: 10 business days since we receive your payment data. Time to solve the problem: up to 20 business days since we triage your report, depending on criticality and priority. ## Scope We will consider reports about our web platform, DNS issues, TLS problems, online services, misconfigurations, or any and other kinds of problems, that are associated or related to the following domains: - fintual.cl - fintual.mx - fintual.com - fintual.co - fintual.pe - fintual.org - fnt.al The following domains or subdomains (and any services that are reachable from these) **are out of the scope of this policy**: - fintualist.com - store.fintual.cl - interview.fintual.com The following types of reports are excluded, and will not be considered for rewards: - *No social engineering*: phishing, vishing, smishing, etc., are prohibited. - *Video only*: videos are encouraged as supporting evidence of a report. A report consisting only of a video will not be considered. - *Outdated software*: reports stating that we are using obsolete or outdated software without any proof of concept as to how that constitutes a vulnerability will not be considered for a reward (although we may fix it anyway). - *Obsolete vulnerabilities*: reports about old-and-fixed vulnerabilities (e.g., tabnabbing) will not be considered for a reward, unless it is applied in a brand new way. ## Rewards **We will determine the impact of your reported bug**. These are the levels of the rewards: - Low impact bug: USD $50 - Medium impact bug: USD $150 - High impact bug: USD $500 - Critical impact bug: $5,000 ## Contact data and links **Contact email**: security@fintual.com **Canonical**: https://fintual.com/.well-known/security.txt **Encryption**: https://fintual.com/pgp-key.txt **Acknowledgments**: https://fintual.com/hall-of-fame.txt **Preferred-Languages**: en, es **Policy**: https://fintual.com/security-policy.txt