Banner object (1)

4217 policies in database
  Back Link to program      
Crypviser Secure Messenger logo
Hall of Fame


100 HKN 

Crypviser Secure Messenger

Crypviser is the most private messaging app, as it is based on Blockchain technology. The decentralized Crypviser Messenger lets you to enjoy private cam chat & voice calls with automated blockchain encryption.


In Scope

Target | Type | Severity | Reward
  • DAPP Crypviser Secure Messenger for iOS

| iOS | Critical | Bounty


Severity (CVSSv3) | Reward
Critical | 3000$
High | 1500$
Medium | 300$
Low | 100$

__Focus Area

In-Scope Vulnerabilities

We are interested in next vulnerabilities:

  • Data Security at Local DB Level

  • Access to the data contained in the QR code

  • Pentest of http-server to transfer files to — only post request to transfer files to the server
  • Decryption, and interception of communications between users
  • MiTM attacks on the interception and substitution of public keys encryption for faking messages

  • Decryption of messages between the user and the bot (

  • Authorization in the application without knowing the password
  • MiTM attack to establish a chat on behalf of another user
  • Conducting a successful unnoticed MiTM with data substitution between a lightweight blockchain client in the application and Witness (violation of the integrity of Merkel Tree hashes)
  • Carrying out attacks at the network level of application’s operation with blockchain nodes

Out-of-Scope Vulnerabilities

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.

In Scope

Scope Type Scope Name

This program crawled on the 2018-10-25 is sorted as bounty.

FireBounty © 2015-2020

Legal notices