No technology is perfect and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our platform. Good luck, and happy hunting!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority._
Block.one will also leverage CVSS if there is any ambiguity in where the submission falls in the VRT to help maintain the severity and impact of the finding. CVSS generally tracks with the VRT as such:
Severity Level | Critical | High | Medium | Low | Informational
VRT | P1 | P2 | P3 | P4 | P5
CVSS v3 | 10.0-9.0 | 8.9-7.0 | 6.9-4.0 | <= 3.9 Low Impact | <= 3.9 Informational
Note that Block.one will not pay for bounties that count as Informational/P5.
Block.one reserves the right to make any final determination of rating levels for any reported vulnerability.
Payment is made in accordance with the payment terms provided in Bugcrowd. If your country is not eligible to Bugcrowd and we determine in our discretion that your submission is accepted, qualified and eligible to payment, we will notify you of the reward amount and will work with you to process payment, subject to the laws and regulations of any applicable jurisdictions and the terms and conditions of any relevant payment service provider. You may not designate another person as the recipient of the reward. Unless otherwise indicated by us, all payments will be made in USD.
We reserve the right to change the reward range at our sole discretion any time during the program by posting an updated range on the program page. You are required to check the program page from time to time to confirm the reward range being offered at the time you submit any vulnerability. However, you will be entitled to the reward range posted at the time of your submission if the reward range is changed by us afterwards.
Last updated 19 Aug 2020 17:37:39 UTC
Technical severity | Reward range
p1 Critical | $8,000 - $12,000
p2 Severe | $4,000 - $6,000
p3 Moderate | $1,500 - $3,000
p4 Low | $500 - $1,500
P5 submissions do not receive any rewards for this program.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This program have been found on Bugcrowd on 2021-02-03.