Banner object (1)

Hack and Take the Cash !

634 bounties in database
25/07/2018

VeChainThor Wallet

Policy

About Company


Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.

You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.

After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.

Scope


This program includes ONLY resources that are listed below:

What to look for


Vulnerabilities are critical gaps and technical flaws in systems that can violate the integrity, availability or confidentiality of user’s information, as well as change access rights to it.

We are interested in next vulnerabilities:

  • Remote code execution and stored XSS
  • Database vulnerability, SQLi
  • Privilege escalation (both vertical and horizontal)
  • Data breach
  • Authentication bypass
  • CSRF
  • Obtaining sensitive information
  • Shell inclusion

The size of rewards


We appreciate your efforts in taking out time and pointing it out to us, it helps us be better in our approach. While we are very thankful for your efforts, we don’t want them to go unrewarded. Eligible bug rewarded based on the CVSSv3 severity and we set next payout range:

Severity (CVSSv3) | Reward
---|---
Critical | 3,000 USD
High | 1,800 USD
Medium | 700 USD
Low | 300 USD

*The rewards will be paid out in VET based on the current price.

However, it’s entirely at our discretion to decide whether a bug is significant enough to be eligible for reward. In special cases, the size of the award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.

The rules of bug bounty program


  • Localize all your tests to your account. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • It’s forbidden to perform DoS / DDoS on resources in the Scope.
  • Follow disclosure guidelines.

Out-of-Scope


In general, they do not correspond to the severity threshold for Android apps:

  • Sensitive data in URLs/request bodies when protected by TLS

  • Lack of obfuscation is out of scope

  • OAuth & App secret hard-coded/recoverable in APK

  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)

  • Any kind of sensitive data stored in app private directory

  • Lack of binary protection control in android app

  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

In general, they do not correspond to the severity threshold for iOS apps:

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

  • Sensitive data in URLs/request bodies when protected by TLS

  • Path disclosure in the binary

  • User data stored unencrypted on the file system

  • Lack of obfuscation is out of scope

  • OAuth & app secret hard-coded/recoverable in IPA

  • Crashes due to malformed URL Schemes

  • Lack of binary protection (anti-debugging) controls

  • Snapshot/Pasteboard leakage

  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018