Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
15/10/2018
VeChainThor Wallet logo
Thanks
Gift
Hall of Fame
Reward

300 HKN 

VeChainThor Wallet

Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

__Scope

In Scope

Target | Type | Severity | Reward
---|---|---|---

iOS Wallet

https://itunes.apple.com/app/vechainthor/id1397679485?mt=8

| iOS | Critical | Bounty

Android Wallet

https://play.google.com/store/apps/details?id=com.vechain.wallet

| Android | Critical | Bounty

__Rewards

Severity (CVSSv3) | Reward
---|---
Critical | 3000$
High | 1800$
Medium | 700$
Low | 300$

__Focus Area

We are interested in the next vulnerabilities:

  • Remote code execution and stored XSS
  • Database vulnerability, SQLi
  • Privilege escalation (both vertical and horizontal)
  • Data breach
  • Authentication bypass
  • CSRF
  • Obtaining sensitive information
  • Shell inclusion

Out-of-Scope


In general, they do not correspond to the severity threshold for Android apps:

  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

In general, they do not correspond to the severity threshold for iOS apps:

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

__Program Rules

  • Localize all your tests to your account. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • It’s forbidden to perform DoS / DDoS on resources in the Scope.
  • Follow disclosure guidelines.

__Disclosure Guidelines

To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.

You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.

After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.

In Scope

Scope Type Scope Name
android_application

Android Wallet

ios_application

iOS Wallet


This program can reward you in HKN, up to 3000.0 HKN.

FireBounty © 2015-2019

Legal notices