Banner object (1)

5068 policies in database
  Back Link to program      
Insolar logo
Hall of Fame



About Insolar

Welcome to the Insolar Bug Bounty!

Data exchange is the backbone of every business process. Insolar develops the platform and solutions to power trusted data exchange between businesses.

Insolar Assured LedgerTM technology ensures data consistency, transparency and security. Control access and retain ownership of shared data.

Insolar works with Microsoft, Oracle, UC Berkeley and Fortune Global 500. Our team is made up of over 80 people, including 50 engineers, across Europe and North America.

Insolar looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Insolar will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response | SLA in business days
First Response | 2 days
Time to Triage | 2 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Insolar.
  • Follow HackerOne's disclosure guidelines .

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • We may cancel or modify this program or these Terms at any time. The Terms that apply to you are those posted here as of the date of your submission. Please check the latest Terms before you submit your report.
  • Insolar Technologies GmbH shall not be liable in any way for any claims arising from your use of the bounty program or your submitted reports. You hereby indemnity and hold harmless the Insolar Technologies GmbH and its officers, directors, and employees from any claims arising from your breach of these Terms.
  • All taxes on a bounty, if any, are the responsibility of the bounty recipient.
  • These Terms shall be governed by the laws of Switzerland.

Report Rules:

Please include the following in your report:

Asset - What software asset the vulnerability is related to
Severity - Your opinion on the severity of the issue (Proposed CVSSv3 Vector&Score(without environmental and temporal modifiers)
Summary - ­Add a summary of the vulnerability
Description -­ Any additional details about this vulnerability
Steps - Steps to reproduce
Supporting Material/References ­- Source code to replicate, list any additional material (e.g. screenshots, videos, logs, etc.)
Impact - What security impact could an attacker achieve?


Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, (see the rewards table) and reward decisions are up to the discretion of Insolar Technologies GmbH.

Out of Scope assets:

Qualifying vulnerabilities:

When reporting vulnerabilities, please consider (1) attack scenario /

exploitability, and (2) security impact of the bug.

  • Send a contract into an infinite loop
  • Crash node with a contract
  • Trigger unauthorized actions on contracts
  • Transactions tampering
  • Double spending
  • Lock the contract such that funds contained within it are no longer accessible by authorized parties through approved methods
  • Cause funds to be misappropriated or incorrectly moved within the account
  • In general, any bug that can lead to loss of funds
  • Bugs which can take control of nodes by remote execution of any code
  • Bugs which can lead to private key leakage
  • Access to our production servers
  • Remote code execution
  • Authentication bypass
  • SQL injection
  • Unauthorized Access
  • Severe XSS and CSRF
  • Clickjacking
  • Change content on our pages/websites
  • Authentication bypass or privilege escalation
  • Accessing users private keys and personal data

Non-qualifying Vulnerabilities:

The following issues are considered out of scope:

  • Self-XSS
  • Lack of password length restrictions
  • URL redirection or Phishing
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring physical access to a user's device.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Spam or social engineering techniques
  • Distributed denial-of-service attacks (DDoS)
  • Reliability of the infrastructure hosting testnet
  • Vulnerabilities already known to the public or to the Insolar team including previous findings from another participant in the bug bounty program
  • Bugs that are not reproducible
  • Bugs disclosed to other parties without consent from Insolar
  • Issues which we cannot reasonably be expected to be able to do anything about
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Any activity that could lead to the disruption of our service (DoS)
  • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
  • DNS vulnerabilities
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • SPF/DMARC records
  • CORS headers on endpoints meant to be accessible from other domains.
  • Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.
  • Lack of security headers
  • Physical security of our offices, employees, etc.
  • Non-security-impacting UX issues
  • Rate limiting to any endpoint
  • Missing HTTP security headers and Host Header Attacks
  • Missing cookie flags on non-sensitive cookies
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage and private directory.
  • DNSSEC Misconfiguration

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Insolar and our users safe!

In Scope

Scope Type Scope Name





Out of Scope

Scope Type Scope Name

Nodes of Blockchain





This program have been found on Hackerone on 2020-01-28.

FireBounty © 2015-2020

Legal notices