Security policy

Capital.com looks forward to working with the security researchers to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have found a security vulnerability that impacts Capital.com, we encourage you to contact us immediately. Our team will investigate all legitimate reports and do our best to respond in a timely manner.

For submitting or learning more about the terms of our program, including our scope or safe harbor guarantee, please email vulnerability@capital.com

We reward researchers for high quality reports of any design or implementation issue that substantially affects the confidentiality or integrity of user data.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be acceptable.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing), physical attacks against our employees, users, or infrastructure. is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Do not perform testing on any of our partners (banks, credit card companies, loan companies, etc). Any such activity may result in removal from our program.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Self XSS
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Autocomplete on web forms.
• Previously known vulnerable libraries without a working Proof of Concept.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS / DDoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• "Best practice" claims, such as password strength or rate limiting issues without a demonstrated exploit.
• Missing security-related HTTP headers. Missing security cookie attributes (secure, httponly, and samesite).
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Tabnabbing
• Reports from automated tools or scans
• Open redirect - unless an additional security impact can be demonstrated
• Verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc are not considered as sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are not accepted.

for iOS/Android apps

• Absence of certificate pinning
• Jailbreak Detection or Root Detection are out of scope
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
• Lack of obfuscation is out of scope

SQL Injection Policy

• Do not alter any data.
• Do not change or interrupt server or database functionality.
• Do not destroy any data.
• Do not read or save sensitive data belonging to users other than yourself.
• Blindly counting rows and columns of databases is permissible.
• Generating outbound DNS requests is permissible.
• Listing database names and columns is permissible.
• Logic responses are permissible.

Scope

Out of Scope