Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.
Target | Type | Severity | Reward |
---|---|---|---|
iOS Wallet https://itunes.apple.com/app/vechainthor/id1397679485?mt=8 | iOS | Critical | Bounty |
Android Wallet https://play.google.com/store/apps/details?id=com.vechain.wallet | Android | Critical | Bounty |
We are interested in the next vulnerabilities:
In general, they do not correspond to the severity threshold for Android apps:
>
> * Sensitive data in URLs/request bodies when protected by TLS
> * Lack of obfuscation is out of scope
> * OAuth & App secret hard-coded/recoverable in APK
> * Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
> * Any kind of sensitive data stored in app private directory
> * Lack of binary protection control in android app
> * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
>
>
In general, they do not correspond to the severity threshold for iOS apps:
>
> * Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
> * Sensitive data in URLs/request bodies when protected by TLS
> * Path disclosure in the binary
> * User data stored unencrypted on the file system
> * Lack of obfuscation is out of scope
> * OAuth & app secret hard-coded/recoverable in IPA
> * Crashes due to malformed URL Schemes
> * Lack of binary protection (anti-debugging) controls
> * Snapshot/Pasteboard leakage
> * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
>
>
To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.
You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.
After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.
Scope Type | Scope Name |
---|---|
android_application | Android Wallet |
ios_application | iOS Wallet |
This program can reward you in HKN, up to 3000.0 HKN.
FireBounty © 2015-2024