7.7 Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Meta Forex Markets ltd a company with registration number M22304317 MSB having its registered office at UNIT G1 CAPITAL HOUSE 61 AMHURST ROAD LONDON UNITED KINGDOM E8 1LL, committed to protecting the privacy and security of users of our software tools (Software). This Vulnerability Disclosure Program (Program) is intended to minimize the impact any security flaws have on our tools or their users. The Program welcomes investigative work into security in-scope Vulnerabilities (as defined below) carried out by well-intentioned and ethical security researchers who discover in good faith Software in-scope Vulnerabilities in the Software, and, subject to the terms and conditions herein contained, are rewarded with a Benefit (as defined below).

PROGRAM TERMS

1. ACCEPTANCE OF TERMS AND OTHER

  1. Your participation in the Program is voluntary and subject to the terms and conditions of this policy (Terms), the Client Agreement, the Privacy Policy, the Disclaimer and all applicable laws and regulations, including all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the relevant data protection or supervisory authority.

  2. These Terms are additional and supplement any other agreement in which you have entered with METAFX (collectively Client Agreements). The terms of the Client Agreements will at all times apply to your use of, and participation in, the Program as if they were fully incorporated herein. If there is any inconsistency between the terms of the Client Agreements and these Terms, the Terms will override solely in relation to the Program.

  3. In an effort to encourage you in making responsible Submissions and Submissions made in good faith, METAFX commits that, if, upon our sole discretion, we decide that a Submission made by you has been made in accordance with these Terms and the Client Agreements, METAFX will not bring a private action against you or refer a matter for public inquiry. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with these Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Terms.

  4. IMPORTANT: as part of your research, you are not allowed to modify any files or data, including permissions, and you are not allowed intentionally to view or access any data which is not required for your research. Before causing damage or potential damage: Stop, report what you've found and request additional testing permission. Violation of these Terms and the Program may result in enforcement action against you.

2. SOFTWARE SCOPE

  1. Only the METAFX brand and the following METAFX Software are in the scope of this Program:

    • a. METAFX web application: *.metafx.ai

    • b. METAFX desktop application; and

    • c. METAFX mobile application

  2. Any software or acquisitions not listed above are not in-scope, including without limitation to the following:

    • a. my.metafx.ai

    • b. api.metafx.ai

    • c. app.metafx.ai

3. SCOPE FOR METAFX WEB APPLICATION

  1. In-scope Vulnerabilities The following shall be considered as in-of-scope vulnerabilities for the web application:

    • a. Injections

    • b. Broken Authentication

    • c. Sensitive Data Exposure

    • d. XML External Entities

    • e. Broken Access Control

    • f. Security Misconfiguration with a demonstration of how to exploit it

    • g. Cross-Site Scripting

    • h. Insecure Deserialization

  2. Out of Scope Vulnerabilities The following shall be considered as out of scope vulnerabilities for the web application:

    • a. Social engineering (including phishing) of METAFX staff, contractors and clients

    • b. Messages from security scanners and other automated systems;

    • c. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;

    • d. Weak password policies

    • e. Mail configuration issues including SPF, DKIM, DMARC settings

    • f. Host header injection without exploitation

    • g. DNSSEC configuration

    • h. Clickjacking;

    • i. Unauthenticated/logout/login/signup, enable/disable notification CSRF;

    • j. Previously known vulnerable libraries without a working Proof of Concept;

    • k. Missing best practices in SSL/TLS configuration;

    • l. Missing best practices in HTTP headers configuration without a working Proof of Concept;

      • i. Strict-Transport-Security

      • ii. X-Frame-Options

      • iii. X-XSS-Protection

      • iv. X-Content-Type-Options

      • v. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

      • vi. Content-Security-Policy-Report-Only

    • m. Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc);

    • n. Path disclosure;

    • o. Reports about the absence of a protection mechanism or non-compliance with recommendations.

    • p. CSP (content security policy)

    • q. SSL Issues, e.g.

      • i. SSL Attacks such as BEAST, BREACH, Renegotiation attack

      • ii. SSL Forward secrecy not enabled

      • iii. SSL weak / insecure cipher suites

    • r. CSRF on forms that are available to anonymous users (e.g. the contact form).

    • s. Logout Cross-Site Request Forgery (logout CSRF).

    • t. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

    • u. Lack of Secure/HTTPOnly flags on non-sensitive Cookies.

    • v. Lack of Security Speedbump when leaving the site.

    • w. Weak Captcha / Captcha Bypass

    • x. Forgot Password page brute force and account lockout not enforced.

    • y. OPTIONS HTTP method enabled; CORS

    • z. Username / email enumeration

      • i. via Login Page error message

      • ii. via Forgot Password error message

4. SCOPE OF MOBILE APPLICATION

  1. In-scope Vulnerabilities In addition to in-scope vulnerabilities stated above, the following will also be considered as in-scope vulnerabilities for the mobile application, which shall include:

    • a. Insecure Data Storage

    • b. Insecure Communication

    • c. Insecure Authentication

    • d. Insecure Authorisation

  2. Out of Scope Vulnerabilities The following shall be considered as out of scope vulnerabilities for mobile applications:

    • a. Social engineering (including phishing) of METAFX staff, contractors and clients

    • b. Missing best practices in SSL/TLS configuration;

    • c. Missing best practices in HTTP headers configuration without a working Proof of Concept;

    • d. Reports about the absence of a protection mechanism or non-compliance with recommendations.

      1. for Android apps

        • Shared links leaked through the system clipboard.

        • Any URIs leaked because a malicious app has permission to view URIs opened

        • Absence of certificate pinning

        • Sensitive data in URLs/request bodies when protected by TLS

        • User data stored unencrypted on external storage

        • Lack of obfuscation is out of scope

        • oauth "app secret" hard-coded/recoverable in apk

        • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)

        • Any kind of sensitive data stored in app private directory

        • Lack of binary protection control in android app

      2. for iOS apps

        • Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries

        • Absence of certificate pinning

        • Path disclosure in the binary

        • User data stored unencrypted on the file system

        • Lack of obfuscation is out of scope

        • Lack of jailbreak detection is out of scope

        • oauth "app secret" hard-coded/recoverable

        • Crashes due to malformed URL Schemes

        • Lack of binary protection (anti-debugging) controls

        • Snapshot/Pasteboard leakage

        • Runtime hacking exploits (exploits only possible in a jailbroken environment)

5. RESPONSE TIME

METAFX shall make best efforts to respond within the following time intervals to Submissions:

METAFX TYPE OF RESPONSERESPONSE TIME (in business days)

First Response

3

Time to Assess Submission Response

7 following First Response

Time to pay Benefit following Assessment of Submission

up to 30 from Assessment Response (subject to paragraph 8.4)

Time to Resolution

Depends on severity and complexity

6. ELIGIBILITY REQUIREMENTS AND YOUR COVENANTS

  1. In order for you to be eligible to participate in this Program and by extension, to receive a Benefit, you must meet all of the following criteria:

    • a. You are 18 years of age or considered an adult in the country which you are a resident, and

    • b. You are either an individual researcher participating in your own individual capacity, or you work for an organisation that permits you to participate,

    • c. you are the first party to report the issue to METAFX,

    • d. you provided a clear report in accordance with the Terms,

    • e. you must not disclose the issue publicly unless otherwise authorised by METAFX.

  2. You are NOT eligible to participate in this Program and by extension, to receive a Benefit, if you meet any of the following:

    • a. you are employed by METAFX,

    • b. you are an immediate family member of a person employed by METAFX,

    • c. you are a minor, in accordance with the country in which you are a resident. Usually this is over 18 years of age. If you are considered a minor in the country you are a resident, then you must obtain your parents’ or legal guardian’s permission before participating in the Program,

    • d. your organization does not allow you to participate in these types of programs (it is your responsibility to comply with any policies that your employer may have that would affect your eligibility to participate in the Program- if you are participating in violation of your employer’s policies you may be disqualified from participating or receiving any Benefit),

    • e. within the six months prior to providing us your Submission you were an employee of METAFX,

    • f. you currently (or within six months prior to providing to us your Submission) perform services for METAFX , in an external staff capacity that requires access to the METAFX Software, such as agency temporary worker,home agent, remote officer, vendor, service provider, employee, business guest or contractor,

    • g. you are or were involved in any part of the development, administration, and/or execution of this Program, or

    • h. make any Submissions in relation to Vulnerabilities that are not original, have been previously reported, and already discovered by internal procedures.

There may be additional restrictions on your ability to participate in the Program depending upon your local law.

If it comes to the knowledge of METAFX or METAFX has reasonable grounds to believe that you meet any of the above requirements, you will be removed from the Program, you will be disqualified and will not receive any Benefit.

7. COVENANTS

By the Acceptance of Terms you confirm, agree covenant to METAFX that you shall not, or assist any other party to:

  • a. without the prior written approval of METAFX , disclose in any way, either to the public (including via: websites, social networks, forums, blogs, online magazines, and similar) or any other third person/entity, the content of your Submission, any findings of your research for a potential Submission or for an actual Submission (collectively the Content),

  • b. use in any way the Content for any other purpose other for the purposes described herein and to make a Submission,

  • c. modify any files or data, including permissions, and you are not allowed intentionally to view or access any data which is not required for your research,

  • d. interact with, access, use or modify in any way METAFX accounts (real or demo) or their data,

  • e. interrupt or disturb the operation of the Software or the provision of the services by METAFX, in any way,

  • f. engage in activity that is false or misleading,

  • g. engage in activity that is harmful to you, the Program or others (e.g. transmitting viruses, stalking, posting terrorist content, communicating hate speech or advocating violence against others), and

  • h. violate any other applicable laws and/or regulations and/or or any existing regulatory documents, including those of METAFX .

Without prejudice to METAFX’s rights and/or without limiting any other remedies available to METAFX under applicable laws, if it comes to the knowledge of METAFX or METAFX has reasonable grounds to believe that you meet any of the above requirements, you will be removed from the Program, you will be disqualified and will not receive any Benefit.

8. SUBMISSION REQUIREMENTS

  1. If you believe you have identified a Vulnerability that meets the applicable requirements as set out in these Terms, you may submit it to METAFX through the process described herein. You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques. Immediately both stop your research and notify METAFX using the reporting process herein before any of the following occur:

    • a. you access any accounts or data other than your own (or those for which you have explicit, written permission from their owners),

    • b. you disrupt any METAFX service, and

    • c. you access systems related to Out of Scope Vulnerabilities.

    1. In order to be eligible to receive a Benefit for a submission made under these Terms, your submission should include a report with all of the following information (Submission). A well-written report will allow us to more quickly and accurately assess your submission. Well-written reports and functional exploits are more likely to result in a Benefit.

      • a. Each report must relate to one Vulnerability, unless many vulnerabilities are concerned and therefore need be included in order to accurately describe the impact of that one Vulnerability being reported, but again this will be treated as one Submission for the purposes of a Benefit,

      • b. Full description of the Vulnerability being reported, including the exploitability and impact. Provided that, for each report there should be a (i) CVSS v3.1 score via Common Vulnerability Scoring System Version 3.1 Calculator with direct link.

      • c. Full description of the component of the METAFX Software in which the Vulnerability was discovered,

      • d. Evidence and explanation of all steps required to reproduce the Submission. Proof of exploitability may include videos, screenshots, exploit code, traffic logs, web/API requests and responses, email address or user ID of any test accounts, IP address used during testing. Evidence can be provided in the form of videos uploaded to YouTube with a private link (Sign in to YouTube Studio- From the left menu, select Videos - Click the video you’d like to edit - Click the Visibility box and select Share privately - Enter the email addresses of people you’d like to share your video with, then select SAVE).

      • e. Proposals for the rectification and fix of the Vulnerability being reported,

      • f. Full description of any unintentional access taking place during your research/testing, to any confidential information of METAFX or of METAFX accounts (real or demo),

      • g. Multiple Vulnerabilities caused by one underlying issue will be treated as one Submission for the purposes of a Benefit.

    2. You must submit the above report to support@metafx.ai.

    3. Failure to follow all of the above steps and include any of the above items may delay or jeopardize the acceptance of a Submission and/or the payment of a Benefit (if any). METAFX is not responsible for Submissions that it does not receive for any reason. If you do not receive a confirmation email after making your Submission, notify METAFX at support@metafx.aito ensure your Submission was received.

9. BENEFIT PAYMENT

  1. You shall be eligible to receive a monetary reward (Benefit), if:

    1. You are the first person to submit an in-scope Vulnerability being reported,

    2. That Vulnerability is determined by METAFX’s security team, to be a valid security issue,

    3. You have complied with all terms and conditions of these Terms, and

    4. You are in compliance with the Terms.

  2. Benefits, if any, shall be determined in the sole discretion of METAFX and in no event shall METAFX be under any obligation to pay you a Benefit for any Submission. All Benefit payments shall be considered gratuitous.

  3. METAFX shall determine the amount of any Benefit, based on the risk and impact of the Vulnerability reported. The minimum Benefit for a validated Submission, shall be USD200 and the maximum USD2000.

  4. If we have determined that your Submission is eligible for a Benefit under the Terms of the Program, we will notify you of the Benefit amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Benefit.

  5. The only method of payment for any benefits under this Agreement shall be by cryptocurrency to your crypto wallet address. In order to be able to process any benefit payments, you will be required to provide us with a valid cryptocurrency address and any other information we may deem necessary upon request.

  6. All Benefits will be made in USDT in accordance with the Response Time, and you will be responsible for any tax implications or other implications related to the payment of the Benefit to you.

  7. METAFX retains the right to determine upon its sole discretion, whether a Vulnerability submitted under this Program is eligible. All determinations as to the amount of the Benefit made by METAFX , are final and shall not be challenged by you. Benefit calculations are made on the basis and shall range in accordance with, the classification and sensitivity of the data impacted, ease of exploit and overall risk to METAFX’s clients, METAFX brand and determined to be a valid security issue by METAFX’s security engineers/team.

  8. If you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not receive a Benefit payment if the product or service is later added to the Program.

  9. The decisions made by METAFX regarding Benefits are final and binding.

10. OWNERSHIP OF SUBMISSION (LICENSE)

  1. As a condition for your participation in the METAFX Program, you hereby grant METAFX , its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to METAFX in connection therewith, for any purpose (License).

  2. You agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above.

  3. You understand and acknowledge that METAFX may have developed or commissioned materials similar or identical to your Submission and you waive any claims you may have resulting from any similarities to your Submission.

  4. You understand that you are not guaranteed any compensation or credit for use of your Submission.

  5. You should not make any Submissions with us, you do not wish to License to us as described above.

  6. In addition to your covenant indicated above, you further represent and warrant to METAFX that any Submission made by you is original, developed by you, you own all right, title and interest in and to any such Submission and that you have not used information owned by another person or entity, and that you have the legal right to provide the Submission to METAFX .

11. Waiver

  1. By Accepting the Terms and making a Submission, you hereby irrevocably waive all claims, current or future, of any nature, including express or implied, in contract or otherwise, arising out of any disclosure of the Submission to METAFX and/or any right attaching to any Submission.

  2. In no event shall METAFX be restricted and/or prohibited from discussing, developing itself, having developed, or developing for third parties, materials which are competitive with those set forth in any Submission irrespective of their similarity to the information in the Submission, so long as METAFX complies with the terms of participation stated in these Terms.

  3. A participant of the Program will not be deemed to be in breach of applicable METAFX licence provisions which provide that a user of METAFX Software may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify or create derivative works of such METAFX Software, for in scope actions performed by the participant where all of the following are met:

    • a. the actions were performed during good-faith security research which was or was intended to be responsibly reported to METAFX ,

    • b. the actions were performed strictly during participation in the Program, and

    • c. neither the actions nor the participants have otherwise violated these Terms.

12. TERMINATION

In the event where (a) you breach any of these Program Terms or where (b) METAFX determines, in its sole discretion that your continued participation in the Program could adversely impact METAFX (including, but not limited to, presenting any threat to METAFX’s systems, security, finances and/or reputation), METAFX may immediately terminate your participation in the Program and disqualify you from receiving any Benefit.

13. CONFIDENTIALITY

  1. METAFX takes data protection very seriously. We strive to create the most secure infrastructure of any broker in the world and protecting our clients is our highest priority. Confidential information means all confidential information (however recorded or preserved) disclosed, received or collected about METAFX or any METAFX user through the Program including but not limited to the below (Confidential Information):

    • a. any information developed by the parties in the course of carrying out these Terms and the Program; and

    • b. any information that is marked or otherwise designated as confidential at the time of disclosure.

    • c. any information that would be regarded as confidential by a reasonable person based on the circumstances and content of the disclosure, and includes, without limitation:

      • i. the business, affairs, customers, clients, suppliers, or plans, intentions, or market opportunities of METAFX or its subsidiary and or affiliates,

      • ii. clients information, personally identifiable information, financial information, information regarding Software, information regarding METAFX , business information, pricing information, and

      • iii. the operations, processes, product information, know-how, designs, trade secrets or software of METAFX or its subsidiary and or affiliates.

  2. The participant to this Program hereby acknowledges, agrees and undertakes

    • a. that any Confidential Information must be kept confidential and only used in connection with the Program. The participant may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the METAFX Software, without METAFX ’s prior written consent.

    • b. to protect such Confidential Information with at least the same degree of care that the participant uses to protect its own Confidential Information, but in no case, less than reasonable care,

    • c. use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and

    • d. immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information

  3. At the request of METAFX the participant shall:

    • a. destroy or return to METAFX all documents and materials (and any copies) containing, reflecting, incorporating or based on the other METAFX's Confidential Information,

    • b. erase all the Confidential Information from computer and communications systems and devices used by it, including such systems and data storage services provided by third parties (to the extent technically and legally practicable), and

    • c. certify in writing to METAFX that it has complied with the requirements of this clause.

  4. Provided that the participant shall not use the Confidential Information for any purpose other than to exercise its rights and perform its obligations under or in connection with these Terms.

  5. With respect to the processing of you personal data by METAFX please refer to the Privacy Policy.

14. INDEMNITY

In addition to any indemnification obligations you may have under the Client Agreements, you agree to at all times defend, indemnify and hold METAFX , its subsidiaries, affiliates, officers, directors, agents, joint ventures, employees and suppliers, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Program.

15. LIMITATION OF LIABILITY

If you have any basis of recovering damages in connection with this Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from METAFX or any subsidiaries, affiliates, resellers, distributors, third- party providers and vendors direct damages up to $100,00 (hundred USD). You cannot recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental or punitive. These limitations and exclusions apply even if this remedy does not fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

16. APPLICABLE LAW AND JURISDICTION

The Agreement and all transactional relations between the Client and the Company shall be governed by and construed in accordance with the laws of the Canada and United Kingdom and the Parties agree that all disputes shall be finally settled in the courts of the Canada and United Kingdom.

17. MISCELLANEOUS

  1. The Terms other related documentation/information on the Website, including but not limited to the ‘Privacy Policy’, shall constitute the entire agreement between METAFX and the participant in accordance with the provisions of the Law and shall prevail over any oral or written communication and/or previous agreements between METAFX and the Participant.

  2. In case any provision of the Terms becomes, at any time, illegal, void or unenforceable in any respect, in accordance with any applicable law and/or regulation of any jurisdiction, the legality, validity or enforceability of the remaining provisions of the Terms shall not be affected.

  3. The participant solemnly declares that:

    • a. the participant has received and/or has had the opportunity to receive a copy of the Terms prior to the date of initiating participation to the Program and making and that he/she has had the opportunity to get advice from a lawyer and/or professional advisor of his choice, and

    • b. the participant has carefully read and has fully comprehended the entire contents of these Terms with which he absolutely and unreservedly agrees and the participant accepts that he/she shall be fully bound by its Terms.

18. LEGAL – CHANGE OF PROGRAM TERMS

The Program, including its policies, is subject to change or cancellation by METAFX at any time, without notice. METAFX may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Program after METAFX posts any such changes, you accept the Terms, as modified.

METAFX RESERVES ALL OF ITS LEGAL RIGHTS AND REMEDIES.

Previous7.6 Privacy Policy

Last updated