Severity Guidelines

   

All bounty submissions are rated by using a purposefully simple scale. Each vulnerability is unique but the following is a rough guideline we use internally for rating and rewarding submissions:


Critical Severity - 1000+ USD

Critical severity issues present a direct and immediate risk to a broad array of our users or to Blockonomics itself

  • arbitrary code/command execution in our production network
  • arbitrary SQL queries/injection
  • bypassing the login process
  • access to sensitive production user data or access to internal production system


High Severity - 500 USD 

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access

  • Gaining access to a non-critical resource that only employees should be able to reach
  • Attacks like CSRF/Stored XSS that require user interaction
  • Getting access/changing particular user's data

Medium Severity - 100 USD 


Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access

  • Getting directory listing of server files
  • Forcing server endpoints to spew out classified data
  • Functional security issues like password reset link not expiring
  • Open Redirect


Low Severity - 50USD


Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker

  • DOS issues
  • Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information
  • Insignificant information leaks (no customer data)


Ineligible reports

  • Bugs reported by large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic
  • DDoS, missing/inadequate requests rate limiting
  • Missing DMARC records
  • Vulnerabilities on unsupported browsers, operating systems, and outdated versions of our apps
  • Social engineering, brute force attacks, compromised user password


Rules of Bug Bounty program

  • Disclose reproducible security bugs immediately to us
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • The more thorough the proof-of-concept, the higher the chance a payout will be awarded
  • Don’t make the bug public before it has been fixed.
  • Bounty will be awarded only in bitcoins (BTC)
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
  • Amounts mentioned in severity guidelines are indicative. The exact amount of bounty is decided by our security team



How to submit report


Create a ticket on help.blockonomics.co with detail of the issue. Our team will get back to you within a few days