To be eligible for this "bug bounty" award, the following requirements must be met:

1. If payment is desired, submission must be made by a registered user in order to be eligible for payment. This includes relevant KYC and other mandatory procedures for registered users on the platform ("Liquid"). As a regulated entity, we are not permitted to make or facilitate payments to anonymous persons (including corporates, where applicable).

2. The vulnerability you identify in our system, service or platform must be original and not have been previously discovered or reported to Liquid, including a vulnerability which was identified in any pre-release product versions (e.g., Beta, Release Candidate).

3. The testing performed by you was not destructive of and did not interrupt the regular operation of Liquid. 

A successful submission must include the following information:

  1. 1. The name/link(s) of the Liquid product.
  2. 2. Detailed description of the potential vulnerability.
  3. 3. Date and time of the test and proof-of-concept that details the reproduction of the potential vulnerability.
  4. 4. Screenshots of the discovery.
  5. 5. The more details provided in the initial report, the easier it will be for Liquid to evaluate your report.

Eligibility Criteria

All criteria must be met in order to participate in the Bug Bounty Program.

  1. You are reporting in your individual capacity or, if you are employed by a company or other entity and are reporting on behalf of your employer, you have your employer’s written approval to submit a report to Liquid’s Bug Bounty program.
  2. You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
  3. You are not a resident of a Financial Action Task Force High-Risk Jurisdictions subject to a Call for Action/Jurisdictions under increased monitoring
  4. You are not currently nor have been an employee of Quoine within 6 months prior to submitting a report.
  5. You are not currently nor have been under contract to Quoine within 6 months prior to submitting a report.
  6. You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed in D. or E. above.
  7. You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  8. You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information. To clarify, Liquid does not view testing that is done in compliance with the terms and conditions of this Bug Bounty Program as being "unauthorized" for these purposes.
Did this answer your question?