Blockchain
Blockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.
To date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.
If you are new to our products, please review our Security Learning Portal before submitting reports.
You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.
Our evaluation of all reported vulnerabilities is final.
Blockchain.com will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 5 business days
Time to bounty (from triage) - 10 business days
Time to resolution - depends on severity and complexity
| Severity | SLA in business days |
| ------------- | --------------------- |
| Critical | 2 days |
| High | 7 days |
| Medium | 60 days |
| Low | 180 days |
We’ll try to keep you informed about our progress throughout the process.
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.
Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
The same email address can be used to register multiple wallet accounts -- this is intentional.
https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.
Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
Clickjacking on pages with no sensitive actions.
Password, email, and account policies, such as email address verification, password complexity.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Rate limiting or brute-force issues on non-authentication endpoints
Missing flags like HttpOnly or Secure on cookies
Missing best practices in Content Security Policy or best practice security headers
Presence of autocomplete attribute on web forms
Tabnabbing or Reverse tabnabbing
Blind SSRF without proven business impact (DNS pingback only is not sufficient)
Open redirect - unless an additional security impact can be demonstrated
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Phishing websites and malware lookalike applications (please report to Support staff instead)
Physical security of our offices, employees, etc.
Non-security-impacting UX issues
Web applications operated by third parties are only considered in scope under the following ways:
Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.
The following assets represent third-party applications, along with their vendors to report issues to:
email-clicks.blockchain.com (SendGrid)
support.blockchain.com (ZenDesk)
blog.blockchain.com (Medium)
why.blockchain.com (InstaPage)
track.blockchain.com (Tune)
partners.blockchain.com (Tune)
When spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:
Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25
Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer
Our open source application source code can be found for review at GitHub.
Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Blockchain.com and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | piuk.blockchain.android |
| android_application | com.blockchain.exchange |
| ios_application | 493253309 |
| ios_application | 1557515848 |
| web_application | ws.blockchain.info |
| web_application | *.blockchain.com |
| web_application | api.blockchain.info |
| web_application | www.blockchain.info |
| Scope Type | Scope Name |
|---|---|
| web_application | blog.blockchain.com |
| web_application | support.blockchain.com |
| web_application | email-clicks.blockchain.com |
| web_application | track.blockchain.com |
| web_application | partners.blockchain.com |
| web_application | why.blockchain.com |
This program have been found on Hackerone on 2016-10-31.
FireBounty © 2015-2024
