Banner object (1)

Hack and Take the Cash !

821 bounties in database
  Back Link to program      
25/12/2019
BCM Messenger logo
Thanks
Gift
Hall of Fame
Reward

Reward

BCM Messenger

BCM has a technology team composed of geeks and hackers who pursue excellence and value innovation, aiming to influence and change the world.

Based on cybersecurity attack and defense, AI and blockchain technologies, we designed and developed a new generation communication platform with a high security level. Each communication message sent and received using BCM Messenger platform is based on end-to-end encryption, and no third party can decrypt the content of the message. We will consistently be devoted to privacy protection and communication interconnection and strive to build a reliable and safe Internet of Everything.

BCM looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

BCM will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 3 business days
  • Time to triage (from report submit) - 5 business days
  • Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Scope

Please refer to the assets in our In-Scope section, which includes our website, iOS app and Android apps etc. The assets in the structured scope list is just a guidance for your test. The scope includes these but not limited to. However, please note that the wallet function is out of scope.

Disclosure Policy

  • Please do not discuss any vulnerabilities (even resolved ones) outside of the program. BCM does not currently support public disclosure at this moment in time.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Be cautious when performing any high-risk action. If your testing may affect the stability, usability, or integrity of the application(s), please provide a proof of Concept only, if we require you to go further we will give our express authorisation to do so.
  • You're free to register your own test accounts, but please limit your testing to only accounts you control.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Do not perform large scale scanning on the targets.
  • Do not perform any kind of DoS or DDoS attacks.
  • If you happen to find a critical issue, please do not leverage that vulnerability to go deeper (for instance, don't use SQLi or RCE to exfiltrate data, etc).

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario /

exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Self-XSS
  • Flash-based XSS
  • Cross-Origin Resource Sharing (CORS)
  • Email Spoof
  • Session fixation
  • Content Spoofing
  • Missing cookie flags
  • Best practices/issues in SSL/TLS configuration.
  • HTML content injection
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Physical or social engineering attacks
  • Reflected file download attacks (RFD)
  • Carriage Return Line Feed injection (CRLF)
  • Login/logout/unauthenticated/low-impact CSRF
  • Unverified Results of automated tools or scanners
  • No SPF/DMARC in non-email domains/subdomains
  • Attacks requiring MITM or physical access to a user's device
  • Issues related to networking protocols or industry standards
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Error information disclosure that cannot be used to make a direct attack
  • Missing security-related HTTP headers which do not lead directly to a vulnerability

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep BCM and our users safe!
BCM is committed to treating our customers’ data with the utmost care. As part of this, we encourage security researchers to put our security to the test. We look forward to continuing to work with the community as we add new features and services.

If you have found any vulnerabilities in the products or services of BCM, you are welcome to submit a vulnerability report tosecurity@bcm.technology.

Scope

All the assets of BCM are in scope. The assets include Website, iOS apps, Android apps etc. The assets in the structured scope list is just a guidance for your test. The scope includes these but not limited to. However, please note that the wallet function is out of scope.

Disclosure Policy

  • Please do not discuss any vulnerabilities (even resolved ones) outside of the program.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Be cautious when performing any high-risk action. If your testing may affect the stability, usability, or integrity of the application(s), please provide a proof of Concept only, if we require you to go further we will give our express authorisation to do so.
  • You're free to register your own test accounts, but please limit your testing to only accounts you control.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Do not perform large scale scanning on the targets.
  • Do not perform any kind of DoS or DDoS attacks.
  • If you happen to find a critical issue, please do not leverage that vulnerability to go deeper (for instance, don't use SQLi or RCE to exfiltrate data, etc).

Exclusions

The following finding types are specifically excluded:

  • CORS
  • Self-XSS
  • Email Spoof
  • Session fixation
  • Flash-based XSS
  • Content Spoofing
  • Missing cookie flags
  • Best practices/issues
  • HTML content injection
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Physical or social engineering attacks
  • Reflected file download attacks (RFD)
  • Carriage Return Line Feed injection (CRLF)
  • Login/logout/unauthenticated/low-impact CSRF
  • Unverified Results of automated tools or scanners
  • No SPF/DMARC in non-email domains/subdomains
  • Attacks requiring MITM or physical access to a user's device
  • Issues related to networking protocols or industry standards
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Error information disclosure that cannot be used to make a direct attack
  • Missing security-related HTTP headers which do not lead directly to a vulnerability

Thank you for helping keep BCM and our users safe!

In Scope

Scope Type Scope Name
android_application

BCM - Blockchain Messenger __

web_application

www.bcm-im.com

web_application

com.bcm.messenger

web_application

BCM IM Security Chat __


This program have been found on Hackerone on 2019-12-25.

FireBounty © 2015-2020

Legal notices