No technology is perfect and Block.one believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our platform. Good luck, and happy hunting!

Ratings:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority._

Block.one will also leverage CVSS if there is any ambiguity in where the submission falls in the VRT to help maintain the severity and impact of the finding. CVSS generally tracks with the VRT as such:

Severity Level | Critical | High | Medium | Low | Informational
---|---|---|---|---|---
VRT | P1 | P2 | P3 | P4 | P5
CVSS v3 | 10.0-9.0 | 8.9-7.0 | 6.9-4.0 | <= 3.9 Low Impact | <= 3.9 Informational

Note that Block.one will not pay for bounties that count as Informational/P5.

Block.one reserves the right to make any final determination of rating levels for any reported vulnerability.

Reward Rules

• The final amount is always ultimately at the sole discretion of Block.one.
• The determination of rating levels is at the sole discretion of Block.one.
• To qualify for a reward, the issue must be original, previously unreported ( this includes issues already known by Block.one but not publicly disclosed ), be a Qualifying Vulnerability (see below), and within the Testing Scope (See below).
• For multiple vulnerabilities with one underlying root cause, where one fix can be applied to remediate all the vulnerabilities, we will consider this as one vulnerability and only award it once.
• If you have found a vulnerability, please submit a report through the Bugcrowd Platform. Note that we are only able to answer technical vulnerability reports. If you are in a country that is not eligible for Bugcrowd we have an alternative reporting strategy is documented at https://block.one/security/reporting-security-vulnerabilities/. However we cannot guarantee reward payments in countries without Bugcrowd coverage and we reserve the right to deny your participation in this program or refuse to make any reward payments if you are in a location without Bugcrowd coverage. In cases where we cannot make a reward payment we may, at our discretion, offer a token reward or recognition instead. We recognize such offers will not be of equivalent intrinsic value to the bounty - they are intended in the spirit of recognition where we are unable to provide a financial reward due to program or legal limitations.
• All payments will be made in compliance with local laws and regulations.

Reward Payment

Payment is made in accordance with the payment terms provided in Bugcrowd. If your country is not eligible to Bugcrowd and we determine in our discretion that your submission is accepted, qualified and eligible to payment, we will notify you of the reward amount and will work with you to process payment, subject to the laws and regulations of any applicable jurisdictions and the terms and conditions of any relevant payment service provider. You may not designate another person as the recipient of the reward. Unless otherwise indicated by us, all payments will be made in USD.

We reserve the right to change the reward range at our sole discretion any time during the program by posting an updated range on the program page. You are required to check the program page from time to time to confirm the reward range being offered at the time you submit any vulnerability. However, you will be entitled to the reward range posted at the time of your submission if the reward range is changed by us afterwards.

Scope and rewards

Reward range

Last updated 19 Aug 2020 17:37:39 UTC

Technical severity | Reward range
---|---
p1 Critical | $8,000 - $12,000
p2 Severe | $4,000 - $6,000
p3 Moderate | $1,500 - $3,000
p4 Low | $500 - $1,500

P5 submissions do not receive any rewards for this program.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.