NEVERDIE is a driving force in Virtual Pop Culture and the economics of the
Virtual goods market, Setting and breaking numerous Guinness World Records
since 2004 for the Most Valuable Virtual items. NEVERDIEs Virtual World
partnerships include Michael Jackson and Universal Studios and leading Virtual
Worlds and MMOs including Entropia Universe and Shroud of the Avatar.
NEVERDIE launched the NEVERDIE Coin (NDC) and the Teleport token (TPT) in 2017
to unite virtual worlds and online games on the blockchain with interoperable
In 2018 NEVERDIE launched Dragon King the first blockchain strategy game to
utilize NDC and TPT and the NEVERDIE crypto gaming wallet and API to support
developers to integrate NDC and TPT into the next generation of online games.
In the web services and Neverdie web applications that store or process
personal information of users. Personal information is, for example, logins
and passwords, correspondence, order history and payment. Turn your attention
that the program includes ONLY resources that are listed below:
API description: https://neverdie.io/docs/api.html
What to look for
Vulnerabilities are critical gaps and technical flaws in systems that can
violate the integrity, availability or confidentiality of user’s information,
as well as change access rights to it.
We are interested in next web vulnerabilities:
- Remote code execution and stored XSS
- Database vulnerability, SQLi
- Privilege escalation (both vertical and horizontal)
- Data breach
- Authentication bypass
- Obtaining sensitive information
- Shell inclusion
The size of rewards
We appreciate your efforts in taking out time and pointing it out to us, it
helps us be better in our approach. While we are very thankful for your
efforts, we don’t want them to go unrewarded. Eligible bug rewarded based on
the CVSSv3 severity and we set next payout range:
Severity (CVSSv3) | Reward
Critical | 2884 HKN
High | 1730 HKN
Medium | 576 HKN
Low | 192 HKN
In special cases, the size of the award can be increased if the researchers
demonstrate how the vulnerability can be used to inflict maximum harm.
The rules of bug bounty program
Automated scanners that generate massive network traffic volumes and may
affect system performance are prohibited.
- Localize all your tests to your account. Don't affect other users.
- Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- It’s forbidden to perform DoS / DDoS on resources in the Scope.
- Follow disclosure guidelines.
In general, the following vulnerabilities do not correspond to the severity
threshold: This section contains problems that are not accepted in this
competition, because they are malicious and / or because they have a low
impact on security.
- UI and UX bugs and spelling or localization mistakes.
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
- Publicly accessible login panels without proof of exploitation.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Host header issues without proof-of-concept demonstrating the vulnerability.
- HTTP codes/pages or other HTTP non- codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
- CSRF in forms that are available to anonymous users (e.g. the contact form).
- Login & Logout CSRF
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site.
- Weak Captcha
- Content injection issues.
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Reflected File Download (RFD).
- Best practices concerns.
- Highly speculative reports about theoretical damage. Be concrete.
- Missing HTTP security headers, specifically, For e.g.
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Infrastructure vulnerabilities, including:
Certificates/TLS/SSL related issues
DNS issues (i.e. mx records, SPF records, etc.)
Server configuration issues (i.e., open ports, TLS, etc.)
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
- Vulnerabilities involving active content such as web browser add-ons
- XSS issues that affect only outdated browsers (like Internet Explorer)
- Issues that require physical access to a victim’s computer.
- Physical or social engineering attempts (this includes phishing attacks against employees).
- Recently disclosed 0day vulnerabilities.
- Microsites with little to no user data
- Most brute forcing issues
- Denial of service