Maguar Capital GmbH & Co. KG Brokers - Digital Assets for Institutional Investors
Maguar Capital GmbH & Co. KG Brokers
CUSTODY
CONSENSUS SERVICES
YIELD GENERATION
Maguar Capital GmbH & Co. KG Brokers
CUSTODY
CONSENSUS SERVICES
YIELD GENERATION

Security Researcher Vulnerability Policy

Table of contents
Policy Overview
Maguar Capital GmbH & Co. KG Brokers prioritizes the security of our institutional infrastructure. We recognize the invaluable contributions of the global security research community in identifying and mitigating potential risks. If you identify a vulnerability that could impact the confidentiality or availability of our systems, we encourage you to report it through our established channels. We request that all findings be kept confidential until remediation is complete, ensuring the continued protection of our clients. By interacting with this program, you agree to the conditions outlined below, which serve to protect both your research and our operational integrity.
Vulnerability Submission
Should you discover a security flaw, please notify our security operations center immediately at security@dexes.eu.com.
To expedite our assessment, please provide the following details:
  • the type of vulnerability identified
  • the service/product/URL impacted by the vulnerability
  • a detailed description of the vulnerability
  • the information necessary to reproduce the issue
  • the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery
  • any files that can help in reproducing the vulnerability (e.g. screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.)
Valid submissions must include a reproducible proof-of-concept and a clear description of the potential business impact on our custody services.
Restricted Activities
To maintain system stability and client privacy, the following actions are strictly prohibited during your research:
  1. Use of a detected vulnerability to obtain more information than necessary for proving the vulnerability.
  2. Use of the detected vulnerability to spy, modify, delete or distribute any personal or sensitive data.
  3. Accessing or attempting to access accounts or information you are not authorized to
  4. Any attempt to modify or destroy information
  5. Sending or attempting to send unsolicited or unauthorized email or other types of message
  6. Conducting social engineering (including phishing) on Group employees, contractors, customers, or any other related party
  7. Posting, transmitting, uploading, linking to, sending, or storing malware that could impact our services, products, or customers
  8. Exfiltration, disclosure, or use of any proprietary or confidential information or data of Maguar Capital GmbH & Co. KG Brokers (including customer data) under any circumstances
  9. Any physical attempts against Maguar Capital GmbH & Co. KG Brokers property
  10. Any attempts of a Denial of Service (DoS/DDOS) attacks or brute force attacks against login pages
  11. Any activity or attempt to gain unauthorized access to Maguar Capital GmbH & Co. KG Brokers software or systems in violation of the law.
Assessment Scope
The following digital assets are eligible for assessment under this policy, specifically those processing institutional data:
  1. www.dexes.eu.com
  2. login.dexes.eu.com
  3. api.dexes.eu.com
  4. Maguar Capital GmbH & Co. KG Brokers 2FA mobile app on Android and iOS
Excluded Vulnerabilities
Certain classes of vulnerabilities are excluded from this program to focus efforts on high-impact security risks:
Domains
  • Any domain that is not listed in the Domains section, is out of scope for this program
  • Application
  • Self-XSS cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate limits or the non-existence of rate limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Hyperlink injection/takeovers
  • Mixed content type issues
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Subdomain takeover without having taken over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (DNS pingback only is not sufficient)
  • Disclosed and/or misconfigured Google API key (including maps)
  • Host header injection without proven business impact.
General
  • In case a reported vulnerability was already known to the company, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s), or issues that would require complex end-user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering, and physical intrusion
  • DoS/DDoS attacks
  • Brute force attacks against login pages
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available, would require a period of 2 weeks after the zero-day vulnerability has been disclosed, before reporting the same to us.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept.
Mobile
  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • The absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
  • API key leakage used for insensitive activities/actions
  • Attacks requiring physical access to the victim's device
Researcher Safe Harbor
Maguar Capital GmbH & Co. KG Brokers commits to not pursuing legal action against researchers who operate in good faith and adhere to these guidelines. We view authorized security assessments as a collaborative effort to strengthen the digital asset ecosystem.

If you remain within the defined scope and comply with our terms, we will support your efforts and acknowledge your contribution to our security posture. For any questions regarding policy compliance, please consult with us at security@dexes.eu.com.
Submission Guidelines & Terms
All participants must adhere to the following contractual obligations during the disclosure process:
  1. You are contacting us in your personal capacity and are at least 18 years old or have reached the age of 16 yrs and have permission from your parent or guardian.
  2. You agree that any oral or written information exchanged between you and Maguar Capital GmbH & Co. KG Brokers in connection with this Terms of Use is confidential. You will maintain confidentiality of all such confidential information and will not disclose any relevant confidential information, including information you obtained during testing to any third parties without obtaining the written consent of Maguar Capital GmbH & Co. KG Brokers. You also agree to delete all confidential information obtained during testing immediately after reporting to us.
  3. You will only conduct security and vulnerability research as a black box unless being given an account by Maguar Capital GmbH & Co. KG Brokers explicitly for security testing purposes. You will not use social engineering or brute force methods to attempt to obtain confidential credentials. You will not engage in any activity that could harm Maguar Capital GmbH & Co. KG Brokers, our customers, employees, services and/or assets.
  4. You agree to comply with all applicable laws and regulations in connection with your security research activities
  5. You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter.
  6. By submitting information relating to a vulnerability, you grant us a perpetual, worldwide, royalty-free, fully paid-up license to use and disclose any information you submit, including any proofs of concept, patches, improvements, suggestions, code samples, or any other information, in connection with the vulnerability to analyze, remediate or improve our systems and networks, incorporate it into our products or services, and to conduct further testing, or for any other legitimate business purpose. We do not grant you any intellectual property rights to any image, information, writing, invention, code, or other creation in connection with these Terms of Use.
  7. Nothing in connection with your submission of a vulnerability shall indicate that you are an employee of Maguar Capital GmbH & Co. KG Brokers and the relationship between you and Maguar Capital GmbH & Co. KG Brokers shall not constitute a partnership, joint venture, or agency. You shall not have the authority to make any statement, representation, or commitment on Maguar Capital GmbH & Co. KG Brokers’s behalf.
  8. Maguar Capital GmbH & Co. KG Brokers, its affiliates, representatives, contractors, and employees shall not be liable to you in connection with these Terms of Use for any direct, indirect, exemplary, incidental, special, or consequential damages. Unless otherwise agreed by Maguar Capital GmbH & Co. KG Brokers, any information submitted by you in connection with a vulnerability is provided at no charge and Maguar Capital GmbH & Co. KG Brokers shall not owe you any fee for that submission or any services performed or expenses incurred.
We value your expertise and commitment to securing the future of digital asset custody.

Maguar Capital GmbH & Co. KG Brokers reserves the right, in its sole discretion, to modify the terms of the Responsible Disclosure Guidelines or to terminate any or all of them at any time.