Pillar Project Worldwide Limited
The Pillar Bug Bounty Program is aimed at discovering potential security vulnerabilities in the wallet mobile app and supporting APIs. Security of Pillar Wallet is our main objective and we’d like to use the help of Pillar’s community members, especially those specialising in global network security. All this to make Pillar Wallet the most secure token and cryptocurrency wallet in the industry.
Pillar Project will make a best effort to meet the following SLAs for hackers participating in our program:
Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 2 business days
Time to bounty (from triage) - 14 business days
We’ll try to keep you informed about our progress throughout the process.
Please review our bounty table. Rewards are at the discretion of Pillar, and we will not be awarding significant bounties for low severity bugs.
Bugs which lead to horizontal privilege escalation (account takeover)
Bugs which lead to remote code execution on API hosts
Bugs which lead to private key leakage on non rooted or jailbroken devices (excluding phishing-style attacks)
Bugs which lead to vertical privilege escalation including unauthorized non-blockchain operations on user accounts.
Application logic bugs that cause Denial of Service (DoS) in the Pillar Platform Core API. Network DDoS attacks are out of scope.
Please test the latest released versions of each project available. Only the newest released package is in scope.
Pillar Wallet mobile app, both iOS and Android
Platform Core API
Apps are available to the public on App Store and Play Store. If you have any questions, reach out to bugbounty@pillarproject.io.
Source of the bug, e.g. Mobile app or specific API.
Your personal assessment of the severity of the bug as medium/high/critical
A summary of the bug.
A detailed description of the bug.
Instructions to encounter the bug.
Other supplementary materials such as proof of concepts, source code, screenshots or logs.
These following locations are considered out of scope for the bug bounty rewards. If you find issues with these projects, PLEASE file issues on the respective repositories if possible.
Disclosure of a Google API key!!
Pillar Project website or any other promotional material
Pillar Project support IT infrastructure
Pillar infrastructure that has nothing to do with the mobile app (SPF/DMARC, etc)
Any third party partners
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Network DoS / DDoS
Attacks requiring root level access to the machine/device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
For a bounty to be paid, a bug must have a working proof of concept that results in the impact defined for each classification level above. Ie evidence that the vulnerabilities is exploitable.
Reports that detail information disclosure vulnerabilities will be close as 'Informational' unless a PoC is provided that shows how the information can be used in an attack scenario
For a report which contains several bugs, if they share an origin of the same underlying bug or are interrelated, we will regard and reward these bugs as one single bug discovery.
If several members report on the same bug, the reward will be awarded to the earliest submission verified by Pillar Project.
If a bug was reported on other public channels of Pillar Project earlier, e.g. Github, Discord and etc., the report containing the same bug will be only regarded as an Informative report or Duplicate report.
All rights of interpretation of reward amount are reserved to Pillar Project.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
Any misuse of information gathered from vulnerabilities found, will result in the Finders account being reported.
All rights of interpretation of the Bug Bounty are reserved to Pillar. Pillar Project decides whether to reward a bug disclosure and how much will be rewarded. Any individual or team participant should not violate any laws and regulations during testing.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thanks in advance for all the time and energy spent on making Pillar Wallet and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.pillarproject.wallet |
| ios_application | com.pillarproject.wallet |
| other | Platform Core API |
| other | Etherspot SDK |
Firebounty have crawled on 2019-11-14 the program Pillar Project Worldwide Limited on the platform Hackerone.
FireBounty © 2015-2024
