Terms & Conditions

There are constraints on who may participate in the Lykke Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.

The parties to this agreement are you and Lykke Services. "Lykke Services" refers to Lykke Services, Inc., and "Lykke" refers to Lykke Services and its affiliates.



Frequently Asked Questions
about Lykke Bug Bounty Programs

 

This document answers frequently asked questions about bounty programs and explains the submission and confidentiality requirements of the programs.

The decisions made by Lykke are final and binding. Lykke may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.

 

HOW DO I SUBMIT A VULNERABILITY REPORT FOR BOUNTY?

And according to the terms and conditions of the contest, to participate in Bug Bounty Program, you need to:

  1. Install the Lykke Wallet application. iOS or Android

  2. Undergo the KYC procedure (with your name or the name of the bank account person). To do this, you need to click the USD deposit (symbol "+") in the application. The app will prompt you to take a photograph of the identity document, make a selfie, make a photo to confirm your residence address. Once the moderators verify it, you can use your wallet in full.

  3. Now you can see all needed source links, and you can push on “Participate” button on the project’s page

  4. When you finish your research, add your result by sharing a link to the file or folder.

 

Lykke will exercise reasonable efforts to clarify indecipherable or incomplete submissions, but more complete submissions are often eligible for higher bounties.

 

WHAT HAPPENS AFTER I SUBMIT THE REPORT?

You will receive an email stating that we have received your submission.

Our engineers will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions that we receive.

 

WHO IS ELIGIBLE TO PARTICIPATE?

You are 18 years of age or older, and none of the criteria that would make you ineligible apply to you.

 

WHO IS NOT ELIGIBLE TO PARTICIPATE?

 

ARE THERE ADDITIONAL REQUIREMENTS FOR AN ORGANIZATION TO PARTICIPATE IN THE LYKKE BOUNTY PROGRAMS?

No, you can participate as a team from one of your members’ accounts.

 

WHAT CAN I DISCLOSE ABOUT A VULNERABILITY REPORT I SUBMITTED FOR A BOUNTY AND WHEN CAN I DISCLOSE IT?

If you report a vulnerability, you are agreeing that you will never disclose the functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless Lykke makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.

Please do not discuss the vulnerability in any form prior to Lykke notifying you that it is fixed. (We may pay bounties before a vulnerability is fixed, so please wait for the confirmation that it is fixed.) Disclosing a vulnerability before we notify you that it has been fixed may render you ineligible to participate in any bounty programs.

Please contact [email protected] if you intend to discuss the vulnerability after it has been fixed. This includes blog posts, public presentations, whitepapers, and other media.

To give people time to update, we generally recommend waiting for at least 60 days after your submission has been fixed by Lykke before discussing it publicly.



Most importantly, have fun! We thank you for participating in this bounty program.

How we classify bugs

 

This type of calculation is based on “OWASP Risk Rating Methodology”.

 




Your Feedback