Intro

Blockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.

To date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.

If you are new to our products, please review our Security Learning Portal before submitting reports.

Rewards

We evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.

Below are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.

XLM Airdrop exploit : Up to $6,000 (See XLM Airdrop Testing section below)

Critical (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+

High : $750 (e.g. CSRF executing important action but less severe than loss of funds)

Medium : $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )

Low : $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )

XLM Airdrop Testing

Blockchain has partnered with Stellar to airdrop $125M in XLM to our users. To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.

We are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.

For example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.

All rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.

Since financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.

Response Targets

Blockchain will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 5 business days
• Time to triage (from report submit) - 10 business days
• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.
• Follow HackerOne's disclosure guidelines __.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Testing Scope

Assets in Scope

The following approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.

blockchain.com namespace

• *.blockchain.com
• www.blockchain.com __
• api.blockchain.com
• docs.blockchain.com
• login.blockchain.com
• mailer1.blockchain.com
• mailer2.blockchain.com
• mailer3.blockchain.com
• pit.blockchain.com
• prod.blockchain.com
• wallet-helper.blockchain.com

blockchain.info namespace

• www.blockchain.info __¹
• api.blockchain.info ¹
• bci-ads.blockchain.info
• blog.blockchain.info ¹
• consul.dev.blockchain.info
• *.europe-west1.dev.blockchain.info
• *.dev.blockchain.info ¹²
• horizon.blockchain.info
• pit.*.blockchain.info
• ws.blockchain.info

¹: Partially deprecated domain. Severity may be limited.
²: Pre-production system. Severity may be limited.

Mobile applications and hardware

• Wallet App (Android) https://play.google.com/store/apps/details?id=piuk.blockchain.android __(Latest version)
• Merchant App (Android) https://play.google.com/store/apps/details?id=info.blockchain.merchant __(Latest version)
• Wallet App (iOS) https://itunes.apple.com/us/app/blockchain-wallet-bitcoin/id493253309 __(Latest version)
• Merchant App (iOS) https://itunes.apple.com/us/app/blockchain-merchant/id947009571 __(Latest version)
• Hardware and software for the Blockchain Lockbox hardware wallet

Out of Scope

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen
• The same email address can be used to register multiple wallet accounts -- this is intentional.
• https://en.bitcoin.it/wiki/ __and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.
• Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Phishing websites and malware lookalike applications (please report to Support staff instead)
• https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 __(ZeroBlock iOS application -- legacy support only)
• Physical security of our offices, employees, etc.
• Non-security-impacting UX issues

Web applications operated by third parties are only considered in scope under the following ways:

• Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
• Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.

The following assets represent third-party applications, along with their vendors to report issues to:

• campaigns.blockchain.com (ActOn)
• email-clicks.blockchain.com (SendGrid)
• jamf.blockchain.com (Jamf)
• support.blockchain.com (ZenDesk)
• blog.blockchain.com (Ghost)

Guidelines for Crafting a Report

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

• Description of the vulnerability
• Steps to reproduce the reported vulnerability
• Proof of exploitability (e.g. screenshot, video)
• Perceived impact to another user or the organization
• Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)
• List of URLs and affected parameters
• Other vulnerable URLs, additional payloads, Proof-of-Concept code
• Browser, OS and/or app version used during testing

All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.

Testing Tips

When spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:

• Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb __vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25 __
• Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer __vs https://www.blockchain.com/es/explorer __

Our open source application source code can be found for review at GitHub __.

Safe Harbor

Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Blockchain and our users safe!