Our Security

Built in the USA

We are based in USA, California. Our founders and most of the engineers are also based in USA and some in Israel. All passed screening and security check.

We don't hold any customers’ assets

Our platform design that all clients assess remains on customer preferred exchange/custody location. We don't have access to withdraw/deposit or transfer any of those funds/digital assets.

We use state-of-the-art encryption and security

The technology that powers our platform was developed with industry-leading security and encryption at its core. Our security team is constantly working to make sure you and your assets are protected from emerging threats.

2-Step Verification on All Accounts

2-Step Verification adds an additional layer of protection to your account, and all our users get automatically enrolled when they sign up.

Password Management

Your passwords stored in 8081 database are irreversibly hashed using the bcrypt algorithm with a strong work factor so that nobody can read them or decrypt them, including us. 8081 never stores your password in plain text.

Enhanced Account Protections

We monitor third-party data breaches and darknet markets for threat indicators, and automatically secure your login credentials if it looks like your account may be at risk.

Lock My Account

If you see any suspicious activity, you can use our intuitive process to automatically lock your account and instantly stop any further activity or transactions from occurring.

Security Bounty
Will be approved after our product publish launch

Security Bounty Program

No technology is perfect. At 8081, we always want to ensure that traders can manage their portfolios without the need to worry about their data and trade execution. If you find something that potentially affects the security of our users, we appreciate your help and do reward actionable information.

In Scope

You can submit any number of vulnerabilities in our systems. Not all vulnerabilities are equal though. If you find a vulnerability in the following categories, please contact us as soon as possible

The following domains and apps are eligible for rewards under this program

SQL Injection vulnerabilities
Encryption vulnerabilities
Remote Code Execution
Authentication Bypass, Unauthorized data access
XML External Entity
S3 Bucket Upload
Server-Side Request Forgery

The following domains and apps are eligible for rewards under this program:

www.8081
api.8081.io
iOS application at Apple Store: TBD
Android application at Google Play Store: TBD

Out of Scope

We do not accept submissions in the following categories:

Ability to create user accounts without any limits.
Ability to perform an action unavailable via user interface without identified security risks.
Ability to send emails with no control over content without any limits.
Any activity that could lead to the disruption of our service (DoS).
Attacks that require MiTM or physical access to a users' device.
Clickjacking.
Content spoofing and text injection.
CSV injection without demonstrating a vulnerability.
Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc.
Disclosure of origin and private IP addresses or domains pointing to private IP addresses.
Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS).
Missing best practices in SSL/TLS configuration.
Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT).
Missing best practices in HTTP headers without demonstrating a vulnerability.
Missing notifications about important actions.
Missing protection mechanism or best practices without demonstration of real security impact for user or system.
Previously known vulnerable libraries without a working proof of concept
Reports that include only crash dumps or automated tool output without a working proof of concept.
Unauthenticated/login/logout CSRF.
User enumeration.
Vectors that require unpatched environment (e.g. missing Windows updates).
Vectors that require browser versions released 6 or more months before report submission.
Missing rate limiting on endpoints.
Cross-Site Request Forgery (CSRF).

How to submit a vulnerability

You can submit vulnerabilities to us by email to info@8081.io

State concisely in your email what vulnerability you have found. Particularly include the following in your email:

Which vulnerability
The steps you undertook
The entire URL.
Objects (as filters or entry fields) involved.
Screenshots and screen videos are highly appreciated.
Provide your IP address in the bug report, which will be kept private and used for tracking your testing activities and review the logs from our side.
Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can assume that the notification will be received by specialist.

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary to find or demonstrate the vulnerabilities.

Be an ethical hacker and respect other users' privacy.
Do not use vulnerabilities you discover for purposes other than your own investigation.
Do not disclose vulnerabilities to other parties then 8081, provide us a reasonable amount of time to resolve the issue before disclosure to the public or a third party
Do not use social engineering to gain access to a system.
Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will compromise the systems' security.
Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
Do not alter the system in any way.
Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.
Secure your own systems as tightly as possible.

Rewards

We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and 8081 reserves the right to cancel the program; the decision whether to pay a reward is at our discretion.

Additional considerations:

When duplicates occur, we only award the first report that we receive.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.