Blockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.
To date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.
If you are new to our products, please review our Security Learning Portal before submitting reports.
We evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.
Below are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.
XLM Airdrop exploit : Up to $6,000 (See XLM Airdrop Testing section below)
Critical (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+
High : $750 (e.g. CSRF executing important action but less severe than loss of funds)
Medium : $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )
Blockchain has partnered with Stellar to airdrop $125M in XLM to our users. To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.
We are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.
For example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.
All rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.
Since financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.
Blockchain will make a best effort to meet the following response targets for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
The following approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.
¹: Partially deprecated domain. Severity may be limited.
²: Pre-production system. Severity may be limited.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Web applications operated by third parties are only considered in scope under the following ways:
The following assets represent third-party applications, along with their vendors to report issues to:
If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:
All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.
When spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:
Our open source application source code can be found for review at GitHub __.
Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Blockchain and our users safe!