Choose an option:

Responsible Disclosure

Coinomi values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with the community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible disclosure process.

If you are a security researcher and would like to report a vulnerability, please send an email to: security@coinomi.com Please provide your name, contact information, and company name (if applicable) with each report. Priority will be granted to encrypted reports — please include your PGP public key along with the report.

Download the Coinomi PGP key

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any confirmed vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure guidelines:

  1. Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  2. Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services.
  3. Do not modify or access data that does not belong to you.
  4. Give us a reasonable time to correct the issue before making any information public.
  5. We only accept reports for services provided exclusively by Coinomi and not by any third party.

We will make every effort to respond to your disclosure within 1-2 business days.

Disclosures that do not fully comply with the above guidelines will not be eligible for bounties or any of the assurances discussed therein.

Applications

We are mainly interested in vulnerabilities that would eventually allow attackers to compromise wallets and/or crypto assets from Coinomi applications.

These vulnerabilities are in-scope:

  1. Bypass of the PIN or biometrics, excluding functionality provided natively by the operating system
  2. Bypass of user confirmation to sign a transaction
  3. Sensitive data leaks via memory access, network traffic, local device storage, etc.
  4. Dependency tree a.k.a. supply chain attacks
  5. Cryptography vulnerabilities related to BIP-39/32/44 derivation and elliptical curves

These vulnerabilities are out-of-scope:

  1. Unencrypted Firebase service tokens.
Websites

We are interested in critical vulnerabilities in our infrastructure including front and backend.

These vulnerabilities are out-of-scope:

  1. Presence/absence of SPF/DMARC records.
  2. Lack of CSRF tokens.
  3. Clickjacking and tabnagging issues.
  4. Missing security headers that do not lead directly to a vulnerability.
  5. Missing best practices (we require evidence of a security vulnerability).
  6. Reports from automated tools or scans.
  7. Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
  8. Absence of rate limiting.
  9. Outdated software without any noteworthy vulnerability.
  10. Broken links.
  11. Vulnerabilities in 3rd parties’ services, i.e. Zendesk, Twitter. etc. (report directly to them)