Banner object (1)

Hack and Take the Cash !

816 bounties in database
  Back Link to program      
21/02/2018
Electroneum logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

Electroneum

Introducing Electroneum

We have developed a revolutionary new digital payments ecosystem that allows anyone to transact digital funds via their smartphone. Our ecosystem is powered by our very own blockchain Electroneum.

Our mobile-based payments solution is powered by our own cryptocurrency called ETN (Electroneum). ETN is a store of value that can be used to purchase everyday items, from bread and milk, to mobile phone top ups. When used in conjunction with the Electroneum mobile application, users can transfer ETN to anyone in an instant, either in person or remotely.

Electroneum believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Thank you for helping us keep Electroneum and our users safe!

Latest Software Rollouts

  • API Deployments 5th September 2019 – General bugfixes
  • Desktop Deployments 5th September 2019 – General bugfixes
  • Mobile Deployments 9th September 2019 – General bugfixes

Researcher Requirements

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

  1. Providing Electroneum a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
  2. Making a good faith effort to preserve the confidentiality and integrity of any Electroneum user’s data.
  3. Not defrauding Electroneum users or Electroneum itself in the process of participating in the Bug Bounty Program.
  4. .Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program rewards from Electroneum.
  5. Reporting vulnerabilities with no conditions, demands, or ransom threats.

Electroneum considers Social Engineering attacks against Electroneum employees to be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Electroneum employees will be banned from the Electroneum Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Report Evaluation

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Electroneum that harms Electroneum or Electroneum users.

Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Electroneum awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.

Impact

Impact describes the effects of successful exploitation upon Electroneum systems or users. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact. For example:

  • Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.
  • Medium/High Impact: Identifying a vulnerability that allows you to expose another user’s data.
  • Critical Impact: Attackers can read or modify Sensitive Data in a system (Including accessing KYC or Selfie data), execute arbitrary code on the system or allow them to obtain/spend another users Electroneum.

Exploitability

Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements. For example:

  • Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
  • Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.

Severity

Severity is determined as a combination of Impact and Exploitability. For example:

  • Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.
  • Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Electroneum or Electroneum users.

General rewards guidelines

In order to provide general guidelines to researchers regarding the rewards that can be expected for a given report, Electroneum uses the severity of a report to place the report into one of the following tiers and the reward can be found at the top of the bounty page.

  1. Critical
  2. High
  3. Medium
  4. Low
  5. Information

The rewards for each tier are minimum bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.

Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.

Scope

The Electroneum Bug Bounty program scope covers all the services listed below:

All assets on the below domains, except services provided by third parties:

  1. api.electroneum.com
  2. my.electroneum.com
  3. electroneum.com

The following mobile apps:

  1. Android App
  2. iOS App

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  1. Social engineering
  2. Physical security
  3. Non-security impacting UX issues
  4. Deprecated Third Party Open Source libraries are not in scope. For our own supported and actively maintained open source libraries, we accept vulnerability reports through HackerOne.
  5. Vulnerabilities or weaknesses in third party applications that integrate with Electroneum
  6. Vulnerabilities associated with creating an emulator for the mining environment that do not demonstrate the ability to dramatically increase mining function or show other security impact Clickjacking on pages with no sensitive actions.
  7. Attacks requiring MITM or physical access to a user's device.
  8. Previously known vulnerable libraries without a working Proof of Concept.
  9. Any type of injection without demonstrating a vulnerability.
  10. Any activity that could lead to the disruption of our service (DoS).
  11. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  12. Password complexity-related issues

SLA

Electroneum will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 5 business days We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please follow the Hacker One’s disclosure guidelines.
Extra disclosure policy points

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

In Scope

Scope Type Scope Name
android_application

com.electroneum.mobile

web_application

api.electroneum.com

web_application

my.electroneum.com

web_application

electroneum.com

web_application

com.electroneum.app

Out of Scope

Scope Type Scope Name
web_application

*.electroneum.com


The public program Electroneum on the platform Hackerone has been updated on 2019-08-03, The lowest reward is 50 $.

FireBounty © 2015-2019

Legal notices