Welcome to the Insolar Bug Bounty!
Data exchange is the backbone of every business process. Insolar develops the
platform and solutions to power trusted data exchange between businesses.
Insolar Assured LedgerTM technology ensures data consistency, transparency and
security. Control access and retain ownership of shared data.
Insolar works with Microsoft, Oracle, UC Berkeley and Fortune Global 500. Our
team is made up of over 80 people, including 50 engineers, across Europe and
Insolar looks forward to working with the security community to find
vulnerabilities in order to keep our businesses and customers safe.
Insolar will make a best effort to meet the following SLAs for hackers
participating in our program:
Type of Response | SLA in business days
First Response | 2 days
Time to Triage | 2 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Insolar.
- Follow HackerOne's disclosure guidelines .
Please provide detailed reports with reproducible steps. If the report is not
detailed enough to reproduce the issue, the issue will not be eligible for a
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- We may cancel or modify this program or these Terms at any time. The Terms that apply to you are those posted here as of the date of your submission. Please check the latest Terms before you submit your report.
- Insolar Technologies GmbH shall not be liable in any way for any claims arising from your use of the bounty program or your submitted reports. You hereby indemnity and hold harmless the Insolar Technologies GmbH and its officers, directors, and employees from any claims arising from your breach of these Terms.
- All taxes on a bounty, if any, are the responsibility of the bounty recipient.
- These Terms shall be governed by the laws of Switzerland.
Please include the following in your report:
Asset - What software asset the vulnerability is related to
Severity - Your opinion on the severity of the issue (Proposed CVSSv3
Vector&Score(without environmental and temporal modifiers)
Summary - Add a summary of the vulnerability
Description - Any additional details about this vulnerability
Steps - Steps to reproduce
Supporting Material/References - Source code to replicate, list any
additional material (e.g. screenshots, videos, logs, etc.)
Impact - What security impact could an attacker achieve?
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring
Standard). Please note these are general guidelines, (see the rewards table)
and reward decisions are up to the discretion of Insolar Technologies GmbH.
Out of Scope assets:
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug.
- Send a contract into an infinite loop
- Crash node with a contract
- Trigger unauthorized actions on contracts
- Transactions tampering
- Double spending
- Lock the contract such that funds contained within it are no longer accessible by authorized parties through approved methods
- Cause funds to be misappropriated or incorrectly moved within the account
- In general, any bug that can lead to loss of funds
- Bugs which can take control of nodes by remote execution of any code
- Bugs which can lead to private key leakage
- Access to our production servers
- Remote code execution
- Authentication bypass
- SQL injection
- Unauthorized Access
- Severe XSS and CSRF
- Change content on our pages/websites
- Authentication bypass or privilege escalation
- Accessing users private keys and personal data
The following issues are considered out of scope:
- Lack of password length restrictions
- URL redirection or Phishing
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring physical access to a user's device.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Spam or social engineering techniques
- Distributed denial-of-service attacks (DDoS)
- Reliability of the infrastructure hosting testnet
- Vulnerabilities already known to the public or to the Insolar team including previous findings from another participant in the bug bounty program
- Bugs that are not reproducible
- Bugs disclosed to other parties without consent from Insolar
- Issues which we cannot reasonably be expected to be able to do anything about
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Any activity that could lead to the disruption of our service (DoS)
- Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
- DNS vulnerabilities
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- SPF/DMARC records
- CORS headers on endpoints meant to be accessible from other domains.
- Vulnerabilities in 3rd party libraries without working exploit against our apps/servers.
- Lack of security headers
- Physical security of our offices, employees, etc.
- Non-security-impacting UX issues
- Rate limiting to any endpoint
- Missing HTTP security headers and Host Header Attacks
- Missing cookie flags on non-sensitive cookies
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on external storage and private directory.
- DNSSEC Misconfiguration
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Insolar and our users safe!