Security

Responsible Disclosure Policy

Last updated: January 1, 2024

GoldStockEX takes the security of our platform and user data seriously. We appreciate the efforts of security researchers and the broader community in helping us maintain a secure platform. This policy outlines how to responsibly disclose security vulnerabilities to us.

1. Our Commitment

GoldStockEX is committed to working with security researchers who discover vulnerabilities in our platform. We will:

Acknowledge receipt of your vulnerability report within 3 business days.
Provide an initial assessment and estimated timeline for a fix within 10 business days.
Notify you when the vulnerability has been resolved.
Recognize your contribution (with your permission) in our security acknowledgements.
Not take legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this policy.

2. Scope

This policy applies to vulnerabilities found in the following GoldStockEX assets:

The GoldStockEX website (goldstockex.com) and all its subdomains.
The GoldStockEX trading platform and user dashboard.
GoldStockEX mobile applications (iOS and Android, if applicable).
The GoldStockEX API.

Out of Scope: The following are out of scope for this policy:

Vulnerabilities in third-party services or applications that GoldStockEX uses (unless they directly impact GoldStockEX).
Social engineering attacks targeting GoldStockEX employees or customers.
Physical security vulnerabilities.
Denial of Service (DoS/DDoS) attacks.
Spam or phishing campaigns.
Automated scanning results without proof of exploitability.

3. What We're Looking For

We are particularly interested in vulnerabilities that could impact the security or privacy of our users, including but not limited to:

Authentication and authorization bypass vulnerabilities.
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
SQL injection and other injection attacks.
Sensitive data exposure or information disclosure.
Insecure direct object references.
Security misconfigurations affecting user data.
Business logic flaws that could allow unauthorized fund transfers or account manipulation.
Broken access control issues allowing access to other users' data.

4. How to Report

If you discover a security vulnerability, please report it to us responsibly by emailing:

[email protected]

Please include the following information in your report:

Description: A clear description of the vulnerability and its potential impact.
Steps to Reproduce: Detailed, step-by-step instructions to reproduce the issue.
Proof of Concept: Screenshots, videos, or code snippets demonstrating the vulnerability (without causing harm).
Affected Components: The URL, endpoint, or application component where the vulnerability exists.
Suggested Fix: (Optional) Your recommendation for fixing the issue.

Please encrypt sensitive reports using our PGP key if possible. Contact us first for our public key.

5. Rules of Engagement

When conducting security research on our platform, you must:

Do use only your own test accounts for testing. Do not access, modify, or exfiltrate data from accounts belonging to other users.
Do stop testing immediately if you unexpectedly access user data, and report it to us right away.
Do keep all vulnerability details confidential until we have had a reasonable opportunity to investigate and remediate the issue (typically 90 days).
Do not perform testing that degrades the availability or performance of our services (no DoS/DDoS testing).
Do not attempt to access, modify, or delete user data other than your own.
Do not use automated scanning tools in a manner that generates excessive load on our infrastructure.
Do not publicly disclose any vulnerability details before we have confirmed resolution.
Do not demand payment as a condition of disclosing vulnerabilities (this constitutes extortion, not responsible disclosure).

6. Safe Harbour

We consider security research conducted in accordance with this policy to be:

Authorized access to our systems for the limited purpose of security testing.
Conducted in good faith and for the benefit of GoldStockEX and our users.

We will not initiate legal action against researchers who comply with this policy. If legal action is initiated by a third party, we will make it known that the researcher's activities were conducted in compliance with this policy.

Please note that this safe harbour applies only to legal claims that GoldStockEX controls, and does not bind independent third parties.

7. Recognition

We value the work of security researchers who help us improve the security of our platform. With your permission, we will acknowledge your contribution in our public security acknowledgements page for valid, unique vulnerability reports that result in a confirmed security improvement.

While we do not currently offer a financial bug bounty program, we reserve the right to offer rewards for particularly significant or critical findings at our discretion.

8. Contact

For security-related inquiries or to report a vulnerability:

GoldStockEX Security Team
Email: [email protected]
Subject line: "Security Vulnerability Report"

For general support inquiries, please use our Contact page or live chat.

Back to Legal Docs Trade Security Policy