# Summary We want you to disclose found vulnerabilities through our Responsible Disclosure Program. Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give us your written permission to do so. If your security research as part of the Responsible Disclosure Program violates certain restrictions in our site policies, the Safe Harbor terms permit a limited exemption. Only security research done in good faith in compliance to the code of conduct and scope of this program is protected by this program. We reserve a right to issue rewards for found vulnerabilities at our sole descension. ## Reporting a vulnerability All vulnerability reports should be made in a form of an email to security@thalex.com. **Please do not share your findings with anyone else without written consent from Thalex.** **Please do not report security vulnerabilities to the Customer Support.** Include in you report as much of the following information as possible: - Vulnerability description; - Steps-by-step instruction to reproduce the vulnerability, including all the preconditions (e.g. have a registered account, that passed KYC); - Proof-of-concept or exploit code; - Impact description; - Video, screenshots, or logs illustrating the vulnerability. You can use this PGP key to encrypt the details of the vulnerability: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGbXEAoBDADD+8Qfb90r6DrquTIjb+/VxH4h5HOhKrNsup8FHRfiA//BiBmF chRJ2xDVuzoQ/xNwav3+zoF1/Qn81oAaGL/zrqnWnTFIyJ6A0e+/sNNAlHyEFJ3O 1ETNWSZgZhz3COymzEvp6l5NfDOk2Z0g6JJWTkHHSUOclx5piY4NW0SIXaqfggN3 wr33HWcbcLvEYBMt9cMtAFdOzmBHw+DGPXiIqdPBRMWOypflDPmU7AwLqOQTuqhk jDXrRknXVpulKya//cLeyeXopCdGazVk50isSskVcI3ELS0Jku//qPchfbVAPqeL 8ZzIcOywVmMj72kkeVvn9Qg29vDj8zfSrgH7c9zpBhf6MFPST8AunwSI99v+xzsQ mTpvsBuewkY/N7Y4KixQnfWEFaGfq0JqeKVrLGO3IMStzFSW7cj7BUHeO91LC723 xWnb+e/ZSHNfg9ISfW1Lnq1Czo2XNa7C9kKrV0KyDlF/tgZjW0/WMtAKmKWccj34 uLN5fr1tDXB3UUUAEQEAAbQTc2VjdXJpdHlAdGhhbGV4LmNvbYkB1AQTAQoAPgIb AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBPiPzwOs7HLJB3/wo1ZdU9180Kfp BQJm1xKZBQkJZgQPAAoJEFZdU9180KfpLOUL/RUscE0nnNyhvGV/GV8amU6Re1EG WI5PfeyYVHUHI0PK9vPE7YGPWAwRjmJSmIdvWvXjf8YoL8TcPymSjE8qtlVVL2dq +9YrJxRo9XlkVmmLswWwaX62xXpuFFRs69fWVUzzOmitL/pk5Xy1o8ox3VYjQgY6 /Z6sPu0RFo8B14lUXhKXVrEzrWP3GycSLgFriwtxzVLEafU4o+qelmm+c29kKvDR Aab+/wpqnLqz0w0h+GSCZhBIOVI0TZc7+FlPXPWryqYXJQDWYwccKziuttYekidJ TIVG7YIOWe665qH2LEvNdhGopQJPWwHyFz6I0Qm272aKhy78vBA4zaldjdpaJvr5 UkVVH0+DPfKQGszkSqP3/1ipi8l8ukSsK6vsRbgjM03rxg/r5sQNN84daGtHo27E WrFtz+IuTDKhtIJdfAVCSR3bMY9gX4YM30np04Un40Z7qqY8n3xUsmU1vOlSpVt2 rzrJrKA3yZKuuGqZNLvgCKftkoLVxFDgQKgaZrkBjQRm1xAKAQwAyw1Iv8i0/OU9 UaXRpWGzZK2wOMGZJAV87JOPY01REoQKgPmuDkFDH9NSOi0gvjd9j/AdTPEq541z J5mB95h7dBJUVCncGWmzJb+Z3f8AEREQW+VvnfffTTJshwjcmIb0DWK84aN5t0GO mwp7j82ptQKjV7Tm4cw2myYrcqADe2raA1+QGM6h2iBfkjm7ljuCvBGN5H50jOgM f1J7QASGWZb3TXQdxTUwQkxkoCT8QsDSyhKGWTaCGYffORGTiK+5Qlubk37+COL0 v/vHAHSwlwnw/Q3temq2p0JcWj7hHQzCwX3vHNPUKgO74K2RMV9SLC5KLubJPRQI U6KWeLrPUVchOy+y8iOi5J/yrU/n/Mt6aLj5jFC0K9UnX/a70DtbCzmapitpGKl1 Mn8ta8rctMKlV2HjQNs8vfEgpjxDiNYUdJisXxW0rkydEkE7B4dqtO3Ct4XLlrA5 4TXH3QwrYPWJx9fTD8cZZqnzaeLr2andj1mw8Br3wQW00Sqhyk2LABEBAAGJAbwE GAEKACYWIQT4j88DrOxyyQd/8KNWXVPdfNCn6QUCZtcQCgIbDAUJA8JnAAAKCRBW XVPdfNCn6ccNDACZ+7hbJNSLhYXwfRCX5riiiHdOPCRxbCgmBTtGW7JPkF9sQyoj g9U5f7Pu0Nt+myK8GbyNvpBJKYDMXcJiFg3iEpt1WGhxwUaG+fuZeGpiltWSn4Im kfU2YWolSQY8JtUajCwDz70EHSj6BcmzWNDMX5lhjMgWPtX0Ut9LmFZMOutGBwvk DJvPLCFWKgSL5EnadI5Q9LTK0J9Nq8gpfSBm/Snca/PD0ic+Xg+6E3DPfh85qYmq t1Nbvfn65zA6Kh9u+4UMiIbteJHJSMDvN1kkl4/L0kzHy3Ppb976bDZ7Jk1zSuec CwDrown2MdexaKRw/exStwVhCtyKQpkicyPhOAGO0KB/iETMzEwc8aATjPablmiE 4rLT+8D3xJnMJDul3DbchSzc2uHoEcoewXS9Z9kqfx/0zOgZkITuF2RXm9ByQSlx XjG5lwPdcRC1VbDIx02QCyC9jyp0r3huSRGPqlFIKvpiNMID1VarylfrUqd3QkYz 6NBxFuWtFga+lg4==6oIK -----END PGP PUBLIC KEY BLOCK----- ``` If the reported vulnerability affects a third party -- we may provide said third party non-identifying substantive information from your report. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give us your written permission to do so. ## Code of conduct To be protected by our Responsible Disclosure Program all Security Researchers must follow these rules: 1. Do not do anything illegal. 2. Do not do anything that impacts Thalex, Thalex customers, Thalex employees or Thalex partners. 3. In an event if your action accidentally harmed somebody or led to an outage -- contact Thalex immediately. We reserve the sole right to make the determination of whether a violation of this program is accidental or in good faith, and proactive communication with us before engaging in any action is a factor in that decision. If in doubt -- ask us first. 4. Inform us about found vulnerabilities as soon as possible, with as much detail as possible. End goal of this program is to improve the security of Thalex, and only research that is done with that goal in mind falls under the terms of this program. 5. Do not exploit any found vulnerabilities further than it is necessary to establish that the vulnerability exists. Do not engage in data exfiltration or any actions that modifies the behaviour of the vulnerable system. 6. Do not perform actions that affect accounts of other people. If you need an account to demonstrate the vulnerability -- use your own account. If you have found credentials for someone else account -- do not go any further than checking that the credentials are still valid. 7. Do not disclose or comment any information about found vulnerabilities to the third parties without explicit consent from Thalex. Reward being paid for the vulnerability does not constitute consent. 8. Do not engage in any activity that is false or misleading. This includes but not limited to any phishing, black hat SEO, spam etc. 9. Do not help anyone break these rules. ## Scope of the program Only certain resources fall under the scope of this program: - thalex.com - testnet.thalex.com - direct.thalex.com - reseller-dev.thalex.com - thalex.systems - thalex.exchange These actions and vulnerabilities are explicitly outside of the scope of this program: - Phishing and social engineering. - Attacks that require high volume of network packets. - DDoS attacks. - Black Hat SEO. - Vulnerabilities of third-party applications and services. - Vulnerabilities caused by out-of-date browsers and browser add-ons. - Vulnerabilities caused by out-of-date or no longer maintained OS versions. - Vulnerabilities requiring jailbroken devices. - Vulnerabilities requiring physical access to an unlocked device to exploit. - Absent Perfect Forward Security in TLS ciphers. - Non-exploitable clickjacking findings such as pages missing X-Frame-Options, which are not exploitable. - Cross-site request forgery with minimal or no security impact. - Generic best practice concerns without demonstrable exploitation. - Password complexity-related concerns. - Any report generated by automatic tool without a PoC or demonstrable exploitation. ## Safe Harbor Thalex is determined to encourage Security Researchers to come forward with their findings, for any vulnerabilities they find on Thalex assets that may be exploited by malicious third parties. Thalex wants to extend certain guarantees to Security Researchers in good faith, and limit the application of certain terms of use, for the purposes of such encouragement. We consider security research and vulnerability disclosure activities conducted consistent with this Program not to constitute "intent" under Part 15 of the Crimes Act 2011. We waive any potential claim against Security Researchers in good faith complying with the terms of this Program for circumventing the technological measures in Scope of this program. However, should the security research involve the networks, systems, information, applications, products, or services of a third party (which is not Thalex), we cannot bind that third party, and they may pursue legal action or law enforcement notice. Thalex cannot, and does not, authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect Security Researchers from any third party action based on their actions, irrespective of intent, or of any legal action brought in Gibraltar or elsewhere, initiated in accordance with local laws and procedural rules. Thalex warrants to take all reasonable steps to avoid taking legal action against Security Researchers that act in Good Faith, namely by: - Abstaining from taking legal action; - Not disclose personal details to any third party, unless required to do so by a court of law or a law enforcement agency, from a jurisdiction dement compliant with international rule of law and human rights standards; - If a legal action is initiated by a third party, including law enforcement, against a security researcher because of the participation in this Program, and Security Researcher complied with the terms of this Program (i.e. have not made intentional or bad faith violations) -- Thalex will take steps to make it known that the actions of Security Researcher were conducted in compliance with the Program. ## Rewards We reserve a right to issue rewards for found vulnerabilities at our sole descension. To receive any reward from Thalex, you will be required to provide identification documentation to Thalex, for the sole and limited purpose of complying with Applicable Law, for money laundering prevention and terrorism funding prevention ("KYC").