Status is a secure messaging app, crypto wallet, and Web3 browser built with
state of the art technology. User privacy and security is our highest
priority; our maximum public bug bounty program reflects that.
The Bug Bounty Program directly serves Status .im's principles
by helping us to keep our users safe. In that
spirit, by taking part in our bug bounty program, you contribute to everyone's
security & privacy in the Status ecosystem.
NOTE: Status is a transparent organization. Everything we do is open source.
This is also true for our discussions and processes, where we strive to allow
the Ethereum ecoystem as much insight in what we do as possible. Therefore, a
lot of our infrastructure and assets is intentionally publicly accessible.
Please consider the out of scope section of this doc for more information on
Status.im will make the best effort to meet the following response targets for
hackers participating in our program:
- Time to first response (from report submit) - 3 business days
- Time to triage (from report submit) - 5 business days
- Time to bounty (from triage) - 30 business days
- Time to resolution (from triage) - 30 business days
We'll keep you informed about our progress throughout the process.
- Do not discuss this program or any vulnerabilities outside of the program without explicit consent or before public disclosure.
- Follow HackerOne's disclosure guidelines .
- Please fill out the report template diligently and provide as much information as possible in a compressed format. As a researcher, you know best what is wrong with the code you attack, so if you provide helpful information to speed up our mitigation efforts, we might pay out an additional bounty for your report.
- We work as a purple team , so if you're able to speed up our mitigation efforts, Status.im might invite you to temporarily join our Discord/Status channels to work with our engineering team on mitigation. If you're invited, you'll receive bonuses over the HackerOne platform.
- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
- Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report received (provided that we can fully reproduce).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im brands or its users. This includes social engineering ((e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- If you gain access to sensitive information --such as personal information, credentials -- as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
- Only reports submitted to this program and against assets in scope will be eligible for a monetary award.
- Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Status.im or HackerOne employees) prior to public disclosure
- Only use authorized accounts so as not to compromise the privacy of our users inadvertently When attempting to demonstrate root permissions with the following primitives in a vulnerable process, please use the following commands: Read: cat /proc/1/maps Write: touch /root/ Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and data.
- Before causing damage or potential damage: Stop, report what you've found and requested additional testing permission
Please see the structured bounty table. Our bounty table provides general
guidelines, and all final decisions are at the discretion of Status.im.
Out of scope vulnerabilities
Please do not engage with infrastructure hosted on infra.status.im and all
subdomains as any scanning and testing activity is treated as an incident.
Violations lead to an exclusion from our program.
For all other vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) security impact of the bug. The following
issues are considered out of scope:
- Current issues within the Status.im Github repositories (will be regarded as duplicates)
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Any physical attacks against Status property or data centers
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity at the network or application layer that could lead to the disruption of our service (DoS), especially any form of spam (network level or client side)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Vulnerabilities on subdomains of *.status.im
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Issues in software or hardware not under Status.im control: Vulnerabilities that have their root cause in an upstream dependency (e.g., React-Native) might be applicable, but have their severity lowered by at least 1 grade (e.g., Critical -> High, Medium -> Low))
Additionally we have a list of known issues tagged security
you should review before
reporting for all our assets on GitHub. The following vulnerability types have
already been reported and triaged, and won't be fixed. These issues will be
closed as Not Applicable:
- URL Spoofing - React-Native-Webview - Any issue where an attacker can spoof the URL in Status Android or iOS mobile App.
- We want to ensure that we are running a fun and engaging bug bounty program. For that reason, we would love to hear your feedback on how we can improve our program. If there is anything we can do additional to help facilitate your testing, please let us know by filling out the form above.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct, and we will not initiate legal action against
you. If a third party initiates legal action against you in connection with
activities conducted under this policy, we will take steps to make it known
that your actions were conducted in compliance with this policy.
Thank you for helping keep Status.im and our users safe; happy hacking!