45466 policies in database
Link to program      
2018-10-15
2019-08-24
VeChainThor Wallet logo
Thank
Gift
HOF
Reward

300 HKN 

VeChainThor Wallet

Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

Scope

In Scope

Target Type Severity Reward
iOS Wallet https://itunes.apple.com/app/vechainthor/id1397679485?mt=8 iOS Critical Bounty
Android Wallet https://play.google.com/store/apps/details?id=com.vechain.wallet Android Critical Bounty

Focus Area

We are interested in the next vulnerabilities:

  • Remote code execution and stored XSS
  • Database vulnerability, SQLi
  • Privilege escalation (both vertical and horizontal)
  • Data breach
  • Authentication bypass
  • CSRF
  • Obtaining sensitive information
  • Shell inclusion

Out-of-Scope

In general, they do not correspond to the severity threshold for Android apps:

>
> * Sensitive data in URLs/request bodies when protected by TLS > * Lack of obfuscation is out of scope > * OAuth & App secret hard-coded/recoverable in APK > * Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope) > * Any kind of sensitive data stored in app private directory > * Lack of binary protection control in android app > * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment) >
>

In general, they do not correspond to the severity threshold for iOS apps:

>
> * Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries > * Sensitive data in URLs/request bodies when protected by TLS > * Path disclosure in the binary > * User data stored unencrypted on the file system > * Lack of obfuscation is out of scope > * OAuth & app secret hard-coded/recoverable in IPA > * Crashes due to malformed URL Schemes > * Lack of binary protection (anti-debugging) controls > * Snapshot/Pasteboard leakage > * Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment) >
>

Program Rules

  • Localize all your tests to your account. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • It’s forbidden to perform DoS / DDoS on resources in the Scope.
  • Follow disclosure guidelines.

Disclosure Guidelines

To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.

You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.

After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.

In Scope

Scope Type Scope Name
android_application

Android Wallet

ios_application

iOS Wallet


This program can reward you in HKN, up to 3000.0 HKN.

FireBounty © 2015-2024

Legal notices | Privacy policy