Security at Send

At Send, we take the security of our platform and the protection of our users' data very seriously. We believe in working with the security community to identify and responsibly address any vulnerabilities that may exist in our systems. To further enhance our security posture, we have implemented a bug bounty program to encourage and reward security researchers for responsibly disclosing vulnerabilities they find in our platform.

Bug Bounty Program

The security of Send and its platform are of utmost importance to us. For that reason we have an official Send Bug Bounty (the ”Program”) to incentivize responsible bug disclosure.

Rewards will be allocated based on the severity of the bug disclosed and assets at risk.

Scope

The program includes vulnerabilities and bugs in any repository hosted under our GitHub organization, including but not limited to:

0xsend Organization: All repositories under the 0xsend organization
0xsend/sendapp: The main Send app repository

Rewards

The Program includes the following 4 level severity scale:

Critical - Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
High - Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.
Medium - The risk is relatively small and does not pose a threat to user funds.
Low/Informational - The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Send. You can find out more about this scale at the OWASP risk rating methodology page.

Disclosure Policy

We ask that you give us a reasonable amount of time to investigate and address any vulnerabilities you report before public disclosure. We commit to keeping you informed of our progress and to giving credit for your finding once remediated.

Out-of-Scope Vulnerabilities

While we appreciate all vulnerability reports, the following types of issues are generally considered out-of-scope for our bug bounty program:

Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
- This includes any attacks that could disrupt the availability of our services, such as volumetric DDoS, application-layer DDoS, or resource exhaustion attacks.
- However, we do consider DoS vulnerabilities that can be exploited with minimal resources (e.g., a single request causing a crash) to be in-scope.

Spam or social engineering techniques
- This includes any attempts to mislead or deceive our users or employees, such as phishing, malware distribution, or social engineering.

Theoretical vulnerabilities without a practical proof-of-concept
- We only consider vulnerabilities that can be practically demonstrated with a working proof-of-concept.

Vulnerabilities in third-party services not directly under our control
- This includes issues in external services we use, such as cloud providers, CDNs, or SaaS applications, unless the vulnerability specifically arises from our configuration or use of these services.

Attacks requiring physical access to our infrastructure or personnel
- We consider physical security issues to be out of scope for this program, unless they directly enable a remote digital compromise.

Vulnerabilities affecting users of outdated or unsupported browsers and platforms
- We only consider vulnerabilities affecting users of modern, supported browsers and platforms to be in-scope.

Please note that while these types of issues are not eligible for bounty rewards, we still appreciate receiving reports about them, as they can help us improve our overall security posture. If you're unsure whether a particular vulnerability is in scope, please feel free to reach out to us for clarification before submitting a report.

Reporting a Vulnerability

To report a potential security vulnerability, please email us at security@send.it with the following details:

A description of the vulnerability and its potential impact
Steps to reproduce the issue
Any relevant technical details (proof-of-concept code, tools used, etc.)

Our security team will acknowledge your report within 24 hours and provide an estimated timeline for our investigation.

Contact Us

If you have any questions about our security practices or bug bounty program, please reach out to us at security@send.it. We appreciate the efforts of the security community in helping us keep our platform safe for everyone.