Exodus is one of the top non-custodial crypto wallets. We value our customers wallet's security more than anything. We are looking forward to working with you.

==Do NOT test Exodus contact form and do NOT create multiple support tickets via Exodus support features. Please read out-of-scope section before beginning the testing==

Response Targets

Exodus will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | < 1 day |

| Time to Triage | < 1 day |

| Time to Bounty | < 3 days (We respect your time and don't hesitate to reward) |

| Time to Resolution | depends on severity and complexity, typically pretty fast though |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Exodus.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Add h1-<Your-HackerOne-Username> in the User-Agent header to help us filter out traffic and whitelist your IP, otherwise your IP could be added to an explicit block rule.

Report submission

• When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug/vulnerability. The Google Bug Hunters University guide may be useful in considering whether an issue has security impact.

• Submit one vulnerability per report. WARNING: If the same exploit occurs across multiple endpoints, please include those endpoints under your single submission. Do NOT file multiple reports for the same exploit.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty (see above item).

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service (including denial of service). Only interact with accounts you own or with explicit permission of the account holder. If you do accidentally cause some noticeable interruption of service, please immediately email us so we can handle it accordingly hack1@exodusmovement.opsgenie.net and please include the subject title "HackerOne Outage: <description>" for the alert to trigger.

Rewards

Reward decisions are up to the discretion of Exodus.

• Minimum reward for a vulnerability report: $100

• Maximum reward for a vulnerability report: $100,000

In scope vulnerabilities

• Technical vulnerabilities or security-related problems in any of our company's internet public surface (websites and subdomains underneath Exodus's control)

• Technical vulnerabilities or security-related problems in our company's Desktop Wallet application.

External Dependencies

Exodus makes use of a number of open (and closed) source libraries. If you discover a vulnerability in

an open source dependent library or OS component, we advise you to follow responsible disclosure procedures directly with the library or OS vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components. However, if one of those libraries included you can demonstrate a serious vulnerability of any of our software/servers as a result of that library with a working Proof of Concept, we will on a case-by-case basis consider this in-scope and grant rewards.

Out of scope vulnerabilities

If you find a vulnerability that is not part of the In scope vulnerabilities, please report it and we will investigate it and depending on the severity of the vulnerability, you will be listed in our Hall of Fame and may be eligible for a reward. Any rewards for out of scope vulnerabilities will be granted on a case by case basis.

The following issues are currently considered out of scope:

• Weaknesses that would require Email Phishing or Social Engineering

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Sites/Software that is run entirely by another company that is simply subdomain-ed or linked to from our company. Eg: Constant Contact, Zendesk, etc.

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers or wallets [Less than 3 stable versions behind the latest released stable version]

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Package include/dependency vulnerabilities without demonstrating a vulnerability.

• Issues that require unlikely user interaction

• (KNOWN ISSUE) Disclosure of methods/endpoints/api keys involving 3rd party blockchain APIs (ex. bitcoin, tezos, waves etc) including known embedded API key, and known outdated swaggerhub / openapi issue. (also mentioned in specific scopes for increased awareness)

The following issues are currently considered do not attempt without permission:

• Extended testing/attacks of Exodus servers or infrastructure

• Rate limiting or brute-force attacks on exodus backend infrastructure

• Any activity that could lead to the disruption of our service (DoS).

To request permission, please email h1@exodus.com and mention the details of your test including what endpoint(s) you will be hitting, what type of scan/attack/etc you would like to try, and what you're trying to achieve. We will respond within 2 working days, ideally less to your request. As long as it is reasonably well thought out and we don't see a risk on our end, we will approve the request.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not report to any law enforcement agencies or initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, Exodus will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Exodus and our users safe!