Policy

oil.vision recognises the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Note: This program is for the disclosure of software security vulnerabilities only. If you believe your oil.vision account has been compromised, change your password and contact us immediately.

Responsible Disclosure

Responsible disclosure includes:

  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Making a good faith effort to not leak or destroy any oil.vision user data.
  3. Not defrauding oil.vision users or oil.vision itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Social Engineering

You are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.

Rewards

The minimum payout is ¥ 1000 for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.

Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We use the following table as a guideline for determining reward amounts:

Vulnerability Reward
Remote Code Execution ¥500,000
Significant manipulation of account balance ¥100,000
XSS/CSRF/Clickjacking affecting sensitive actions [1] ¥75,000
Theft of privileged information [2] ¥50,000
Partial authentication bypass ¥30,000
Other XSS (excluding Self-XSS) ¥10,000
Other vulnerability with clear potential for financial or data loss ¥10,000
Other CSRF (excluding logout CSRF) ¥2,500
Other best practice or defense in depth ¥1000

[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions

[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent

Eligibility

All services provided by oil.vision are eligible for our bug bounty program.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining user information
  • Accounting errors

In general, the following would not meet the threshold for severity:

  • Lack of password length restrictions
  • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
  • Self-XSS
  • Denial of service
  • Spamming
  • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s)
  • Logout CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Social engineering attacks against oil.vision employees or contractors
  • Text-only injection in error pages
  • Automatic hyperlink construction by 3rd party email providers
  • Using email mutations (+, ., etc) to create multiple accounts for a single email

oil.vision will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.

By submitting a bug, you agree to be bound by the above rules.

Get in touch via Telegram

Process overview

1. Send in bug report(s)
2. We research and fix them
3. Set bounty amount based on table outlined above
4. You try to reproduce the reported problems
5. We send in the payment within one week except for Japanese weekends and holidays.