TABLE OF CONTENTS
- Severity Guidelines
- Ineligible reports
- Known Issues
- Rules of Bug Bounty program
- How to submit report
- Arbitrary code/command execution in our production network.
- Arbitrary SQL queries/injection.
- Bypassing the login process.
- Access to sensitive production user data or access to internal production system.
- Gaining access to a non-critical resource that only employees should be able to reach.
- Attacks like CSRF/Stored XSS that require user interaction.
- Getting access/changing particular user's data.
- Getting directory listing of server files
- Forcing server endpoints to spew out classified data
- Functional security issues like password reset link not expiring
- Open Redirect
- DDOS issues that don't involve brute force and can cause extensive damage.
- Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
- Insignificant information leaks (no customer data).
- Bugs reported by large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic, these include missing headers.
- Common DDOS issues, missing/inadequate requests rate limiting.
- Vulnerabilities on unsupported browsers, operating systems, and outdated versions of our apps.
- Social engineering, brute force attacks, compromised user password.
- Bugs found on help.blockonomics.co are not eligible as this is hosted and managed by Freshdesk.
- Known issue listed below are ineligible for bounty.
- Weak Password policy, no password max length.
- Forgot/Reset password allows to create new account.
- Password reset link not expiring after password/email change.
- Failure to invalidate session on password/email change.
- Logout will not destroy existing sessions.
- Copying session cookie allows to login.
- DMARC record missing.
- Server version disclosure.
- Frontend libraries not the latest versions.
- Disclose reproducible security bugs immediately to us.
- No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
- Don’t make the bug public before it has been fixed.
- Bounty will be awarded only in bitcoins (BTC).
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Amounts mentioned in severity guidelines are indicative. The exact amount of bounty is decided by our security team.
All bounty submissions are rated by using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:
Critical Severity - 1000+ USD
Critical severity issues present a direct and immediate risk to a broad array of our users or to Blockonomics itself.
High Severity - 500 USD
High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access.
Medium Severity - 100 USD
Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access.
Low Severity - 50USD
Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker
The following issues are known and are expected behavior for Blockonomics. We expect our crypto users to be aware of security and don't enforce these policies.
Rules of Bug Bounty program
How to submit report
Create a ticket on help.blockonomics.co with detail of the issue. Our team will get back to you within a few days.