We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the people using Crypto.com’s protocols. In addition to this, we ask that you:
- Allow us a reasonable amount of time to correct or address security vulnerabilities.
- Avoid exploiting any vulnerabilities that you discover.
- Demonstrate good faith by not disrupting or degrading Crypto.com’s data or services.
Once we receive a vulnerability report, Crypto.com will take these steps to address it:
- Crypto.com will confirm receipt of the vulnerability report within 5 business days. The timing of our response may depend on when a report is submitted. As our daily operations are distributed in time zones across the globe, response times may vary. If you have not received a response to a vulnerability report from us within 5 business days, we encourage you to follow up with us again for a response.
- Crypto.com will investigate and validate the security issue submitted to us as quickly as we can, usually within 10 business days of receipt. Submitting a thorough report with clear steps to recreate the vulnerability and/or a proof-of-concept will move the process along in a timely manner.
- Crypto.com will acknowledge the bug, and make the necessary code changes to patch it. Some issues may require more time than others to patch, but we will strive to patch each vulnerability as quickly as our resources and development process allow.
- Crypto.com will publicly release the security patch for the vulnerability, and acknowledge the security fix in the release notes once the issue has been resolved. Public release notes can reference to the person or people who reported the vulnerability, unless they wish to stay anonymous.
If you find a security issue, you can contact our team directly at chain-security@crypto.com.
The following key can be used to communicate sensitive information to this email address:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF5LvC0BEAC94Ize0fTgJMLSFTTg0E3qIM0MNANoZ7iHe5iWIV3RjkWCZAMm
p/mAc/NmeLr6rhA9mEjgOQOqgP72fVYz8pXILOcRpHIg/AV8M7n18Qf9ovgME+1M
T/MEjjVDl1jeob35TwV29fu+Q/2yqdo3XIDWG6i3jw+SRF4HV5BHadzumVztvVsj
l7E2nLDl1vgmRQcqqmSnx1fMi9CRqDK6T1f6i9eZnjwJqJHPcvBQSFBL8x2HieBA
YawnGFd2ZAMn49nBtsQSIzCgrp0kRIRFEHef34i3B514i0VzUNIO4PoD68rPoNku
SVt1YI9SUkXwS+RT9bF5qiRHxYQItwPfszOGftwbZiwuv0EWMXkotITQ72KoyA0F
iincgE1gJwALkRlzLJwH9BoARRgIN/c/UQsnT0ZurdXjKHyb+v+E06rM5ruw/7Zk
gqQvKZzfosRq4LU5nAyFpLJy+iXphfg2v4Evbo2NPKi8YOLasGbbrpgTYSlQKgTW
1NfXm6O7QlnbNMVjBWPwVPnfUt8isHCRVlz0ScbiiiBTPZXLoRR6v7MLj/Wq20BH
HGNZ6orvvOnUnE7aJlrnghsiHJ/Pq3biItQeXx2SXrL4DBmg2wcivHOQJAX1HS6p
z3St0U6QZAXCzXtykkKuPkySU+vt2wseWUKxlJKOT44F2PAWjo8GFQescwARAQAB
tENDcnlwdG8uY29tIENoYWluIChDaGFpbiBTZWN1cml0eSBhbGlhcykgPGNoYWlu
LXNlY3VyaXR5QGNyeXB0by5jb20+iQJUBBMBCAA+FiEEuRBdyxEV+eIqDPIiu2Av
sWbyHG4FAl5LvC0CGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
u2AvsWbyHG4hvhAAmtFmbTEvKLHV7KiXvhJINVGGdOIPxdeX3jLNsbr7tTp96hAO
VfVxhJ7TOevVF+VaPUHN9pHIAJW88utk+2fwaEtMVsqI3rOdLSmD33Dl3TpkjuPr
VIERdXy3ogHhN+AEaLbGvI+TJkPAieCCpsSu0q6mL4wtuH/E41aPqpl7IykGIeVk
y+qVQO0cLDVxXoBQRRmd8YKGiGre78j1rWAP/gENTY7H6VVR/Le2iVQ8na+IMaIE
Q79fAPq11/1B7rNHI/FQl+Wv6zHaoJd7gfYLHS+1czvEHHUqkjnSblN+sdUso7xp
ei7egboCAZ0P7lLBj+10JQjPKM6dVEV33eaXrX5iMF4bm92ojp9+cX5nRLGLFROH
AaoyAdXn5oxWj8Hs2AxIzva9bd5VpSqOBmfz/vlPp73eoUud+/Ud55BWpE13QDqw
GY37Ei5eV8PZxq2wChKNKSsTDWW3E6Swf7QrrVd47IJkTWu6dH0EynBwpAdTwQN5
4kIOAOfE9+0BqEXQEGe99LpdbyQmEs0vHGP8+F/04KqmeE51di1DamgQF5Ik5opr
3sjTEPaVhqIn4U4G92BPjyArMXH41s3prKK4Pz+efOTjVOA2Uhpld4J3E8Awp5Ss
xm8z1NGynLDszuTQXCm5WsTvxcZNzmhIWYgzb4XPalQe1Nq31U8v26L84+65Ag0E
Xku8LQEQAL4HhXxZXL4oXeNnmgYGPDYLH/F8zjUl1f3cZVQlqkzAeLVQlMZ6webR
aBTq7yqhG/caxJp4gT4VTKSIIlLn+ixTmVjuZw4e8UURWqtux6GDnwLDXX5YG/6q
bLt8hddWNsENMvZwLZRuw6yR12ZOP4vp9fu9z4lLSwEzhu+59fZtqb+y8F4twPFb
RsmHMNH/m+q0nSy9KdYdnPbqFJrISsTrC8kCDS7GsUtbSjjJcPd+csStsSkyvYbU
swoT9Cx+sEEQ5KhrPwFtzhszCPC6EPIJhMO52ar+65pR0znbCbg5Uqc3RH4uhnu4
vgEzDJyiQ4XjeXGjEjqVTT6Znkah8ZQqZlzTXnpJr0ZK4oyeQSxgoCAyP4HYbQTN
P1ulKAkvo4hDQlua2MYcY6Bq2aGnmdYnwaOtFGLlnRHYO+QJzVQMk+Yb2PrtdP84
CYrM9GFrLVIdsHj4wSWXg9OPBIlmHwUucgom2rCYK11MXXboMOcL+4ebj7aGKRVH
KhFe5H4qS9oB3ilO/YRY9E68wz+3N0UX0ZQaOlqDyMnR2RlvhIguUZYiw63V4xIq
j+inZ4ymBgUIsiVhDYHLJ6WnVL0ghjZWXbMKlHjaDQ4rDn5udijF3lY8kXto6Ok7
iNlOHMDQQ5i0+nGLs6gKJmQ05pg8f4aeyppo8BqFSdldolXQp78HABEBAAGJAjwE
GAEIACYWIQS5EF3LERX54ioM8iK7YC+xZvIcbgUCXku8LQIbDAUJAeEzgAAKCRC7
YC+xZvIcbmgkEACcZt21xP6reuCYy6nQYGcEUKikkCbrZYQk6RpkY2pz7jq6/G6j
z0O6/BKIThW72KmWKrb0VHg/Gz1gyfoGrkf4LiOQsAbMOtn/J5KI4tozA+RL8rA9
n616IdQHWsCfNeLhnYWB6ymxaYam3QEpHbD+C4oSsp9TnahqFeC4IDeOBmM1qmqL
eAwJVV9wME+qcbI2kTx84S8sHjG+Uu4LQMn3ZzsWOS4zF6e47QLSkIWqjduBbMUn
XPMRyuAZhfCXmKyc+hs1/e1+Fpc3jjFZmHR2MyzLuBCsbc9hxic2SwOAGTmPoiuG
eTSXAm5e4B2VLGxrFwYFLnVUf5At05U9jOnvv5W+GROdAnW6MgsEW92z6z4B6vE4
V4EFTppZtKb3Sa60ycXFPgPk0g2uXmV5i2S/UrS2m5YbMZXc7RQ6hQOrFd/6gAdW
SR33cQD2VthNvTZVogywqvkhlB/v8TUowFPXSoycC48xrlmJF2/ET5yKnSgpe3FH
czfRhKxOaEYxJQPvfGLbPlzw1CmEMdm9AgJnHBjw52vBI/tmtMp8rPFjkNHk+GwY
gakE32mceRVetyNVk3cove4vs+RaHLOePubuTg5wLbOq7z8z4jfzyazufA651py1
a5E0X/+kMgxKxB9NiTvlZU4Lhp3u/z8n7iScEAPso/fQq1t88E79l7sXvA==
=SXbV
-----END PGP PUBLIC KEY BLOCK-----
You can also contact cryptocom account on Wire, its key fingerprint is:
2009df951d8880a4f319c6bafb2da6376d5e5aeb927a5ef10b8074af8b9df8c8