Security is a collaboration. Report bugs and be rewarded.
*We may pay higher for critical bug reports on a case-to-case basis.
Critical severity issues present an enormous risk to our clients or to Deriv itself. They often affect relatively low-level components in our infrastructure. For example:
High severity issues are generally more narrow in scope than critical issues, but they may expose sensitive client and company data to attackers. For example:
Medium severity issues allow attackers to gain unauthorised access to read or modify a limited amount of sensitive data. This data is usually less sensitive than the data exposed by high severity issues. For example:
We’ll reward reports on low-level vulnerabilities only if they help us fix severe security issues, and we’ll decide the reward amount on a case-to-case basis.
Low severity issues expose an extremely limited amount of data. They may violate an expectation of how something is intended to work, but without privilege escalation or the ability to trigger unintended behaviour. For example: