FireBounty
52235 policies in database
Link to program      
2018-08-28
2019-09-20
Crypto.com logo
Thank
Gift
HOF
Reward

Reward

100 $ 

Crypto.com

Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.

Note: This program is for the disclosure of software security vulnerabilities only.

Program Rules

  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.

  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

  • Follow HackerOne's disclosure guidelines. Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.

  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.

  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.

  • In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.

  • By submitting a bug, you agree to be bound by the rules.

Scope

In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page

  • An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.

  • All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].

  • Note: Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.

Testing Resources and Guidance

Crypto.org Chain Testnet (Croseied) relevant resources:

  • https://crypto.org/explorer/

  • https://github.com/crypto-org-chain/chain-main

  • Nodes:

  • 13.70.17.170

  • 13.90.34.32

  • 40.79.80.22

  • mainnet.crypto.org

  • seed-0.crypto.org

  • seed-1.crypto.org

  • seed-2.crypto.org

  • https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind

Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:

  • Remote Code Execution

  • Significant manipulation of the account balance

  • Leakage of sensitive data

  • XSS/CSRF/Clickjacking affecting sensitive actions

  • Theft of privileged information

  • Partial authentication bypass

  • Other vulnerability with clear potential for financial or data loss

  • Other XSS (excluding Self-XSS)

  • Other CSRF (excluding logout CSRF)

Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with

We are looking to find security issues affecting our blockchain protocol such as:

  • Bugs in our implementation of the cryptographic primitives

  • Remote Code Execution on any Crypto.com node and the reference wallet implementation

  • Vulnerabilities that disrupt the consensus result and performance

  • Unauthorized movement of funds, access to private keys

  • Vulnerabilities that affect the stability, connectivity, or availability of the whole network,

individual node, or the reference wallet implementation

  • Transaction origin spoofing

  • Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer

Product and Feature Updates [regularly updated]

To keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly.

For more information about Crypto.com’s recent dev updates, you may also refer to our blog.

Update - 30 November 2020: “Margin Trading” service released

Crypto.com has released a new feature called Margin Trading service on the crypto.com/exchange platform.

The new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.

Update - 11 September 2020: CRO Swap added into scope

This Program is limited to the vulnerabilities affecting CRO swap in the following contracts:

  • https://github.com/crypto-com/cro-staking

  • https://github.com/crypto-com/swap-contracts-periphery

  • https://github.com/crypto-com/swap-contracts-core

For purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.

For your reported vulnerability to be eligible, you must:

  • Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.

  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.

  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

Out-of-scope Vulnerabilities

Non-Qualifying Vulnerabilities in the Crypto.com Exchange

  • Theoretical vulnerabilities without actual proof of concept

  • Email verification deficiencies, expiration of password reset links, and password complexity policies

  • Clickjacking/UI redressing with minimal security impact

  • Email enumeration (E.g. the ability to identify emails via password reset)

  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

  • Tab-nabbing * Self-XSS * Denial of service (DoS) * Spamming * Usability issues

  • Vulnerabilities only exploitable on out-of-date browsers or platforms

  • Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI

  • Reports from automated tools or scans, without exploitability demonstration

  • Vulnerabilities related to autofill web forms

  • Use of known vulnerable libraries without actual proof of concept

  • Lack of security flags in cookies

  • Issues related to unsafe SSL/TLS cipher suites or protocol version

  • Content spoofing * Cache-control related issues * Exposure of internal IP address or domains

  • Missing security headers that do not lead to direct exploitation

  • CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)

  • Vulnerabilities that require physical access to a user's device

  • Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)

Non-Qualifying Vulnerabilities in the Crypto.org Chain

  • Vulnerabilities in Intel SGX

  • Vulnerabilities in Cosmos SDK

  • Vulnerabilities in a dependent 3rd party library

  • Vulnerabilities in the demo wallet example in HERE

  • Missing features, missing best practices, known limitations, known bugs, e.g. >⅓ Byzantine faults

Non-Qualifying Vulnerabilities for CRO Swap assets

The following are not eligible:

  • The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;

  • Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);

  • Bugs in any third party contract or platform that interacts with CRO swap;

Non-Qualifying Vulnerabilities in the Mobile Apps

  • Any CRO cashback gained via a typical purchase, payment or cash advance

  • Shared links leaked through the system clipboard.

  • Any URIs leaked because a malicious app has permission to view URIs opened

  • Absence of certificate pinning

  • Sensitive data in URLs/request bodies when protected by TLS

  • User data stored unencrypted on external storage and private directory.

  • Lack of obfuscation is out of scope

  • auth "app secret" hard-coded/recoverable in APK.

  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes

  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

  • Clickjacking/UI redressing with minimal security impact.

  • Distributed denial of service attacks (DDOS).

  • DNSSEC Misconfiguration

  • Lack of binary protection (anti-debugging) controls.

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

  • Path disclosure in the binary

  • Snapshot/Pasteboard leakage

  • Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)

  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.

  • Require physical connection to the device with developer-level debugging tool including but not limited to ADB.

  • Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.

  • Scenarios requiring excessive user interaction or tricking users like phishing.

  • Exploit is based on a complex scenario or the probability of exploit is very low.

  • Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.

Internally known Issues

  • Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible.

Disclaimer:

  • Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.

  • CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible.

  • By submitting a bug, you agree to be bound by the above rules.

Safe Harbour:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

In Scope

Scope Type Scope Name
android_application

co.mona.android
android_application

com.defi.wallet
ios_application

com.monaco.mobile
ios_application

com.defi.wallet
web_application

www.crypto.com
web_application

app.mona.co
web_application

https://crypto.com/exchange
web_application

https://auth.crypto.com/
web_application

https://merchant.crypto.com
web_application

pay.crypto.com
web_application

js.crypto.com
web_application

https://crypto.com/defi/
web_application

https://github.com/crypto-com/cro-staking
web_application

https://github.com/crypto-com/swap-contracts-periphery
web_application

https://github.com/crypto-com/swap-contracts-core
web_application

crypto.org
web_application

tax.crypto.com
web_application

https://crypto.com/nft
web_application

https://testnet-croeseid-4.crypto.org
web_application

https://github.com/crypto-org-chain/chain-main

Out of Scope

Scope Type Scope Name
web_application

*.crypto.com
web_application

https://github.com/crypto-com/sample-chain-wallet

This program have been found on Hackerone on 2018-08-28.

FireBounty © 2015-2024

Legal notices | Privacy policy