Program Policy: Please do not discuss any vulnerabilities, even resolved ones, outside of the program without full consent from the CertiK Chain team. Review all general guidelines before submission.
For all UI and UX bugs, please submit bugs and issues on the Explorer and Wallet category via the CertiK Chain Forum.
For all security vulnerabilities, email the content privately at [email protected] following the bug report template.
In about one (1) business day, the CertiK Chain team will confirm the threat intelligence per bug ticket. Our security engineers will follow up, evaluate the problem, and feed the intelligence back to the reporter with a 'Under Review' status.
In about four (4) business days, the CertiK Chain team will address the issue, draw conclusions, and record points with a 'Confirmed' or 'Ignored' status. Our security engineers will communicate with the reporter and ask for assistance if necessary.
The CertiK Chain team will then address the threat intelligence and update the status with 'Fixed' or 'Repaired.' The repairing timeframe depends on the problem severity and the difficulty on a case-by-case basis.
Report Bug Template
When reporting a bug, please ensure all elements are included. The following components will help the CertiK Chain team classify all vulnerabilities quickly and seamlessly.
Keep it brief and use the correct terms. A best practice is to include the name of the feature where you found an issue. A good example could be 'CART - Unable to add a new item to my cart'.
Explain the bug in a few words, and share it in easy-to-understand language. Keep in mind that your description might be used to search your bug tracking application.
Depending on your browser, operating system, zoom level and screen size, websites may behave differently from one environment to another.
Make it easy for developers to spot the problem by including the URL of the page where you found the bug.
A visual element, like a screenshot or a video, will help the team understand the problem better and faster.
Steps to reproduce
Make sure to describe, with as much detail as possible, the steps you took before you encountered the bug.
Expected vs. actual results
Explain the results you expected by being as specific as possible. Just saying "the app doesn’t work as expected" is not useful. It's also helpful to describe what was experienced.
You can also include extra information such as the severity (critical, major, minor, trivial, enhancement), or priority (high, medium, low).
A critical vulnerability refers to vulnerabilities that occur in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.
It includes but is not limited to:
Achieve remote code execution on multiple devices in the internal network.
Gain core backend super administrator access, leak enterprise core data and cause a severe impact.
Smart contract overflow and conditional competition vulnerability.
Remote code execution
Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, obtain sensitive information in the internal network with SSRF, etc.)
XXE vulnerability with high security impact
Unauthorized operation that involves money, payment logic bypassing with working Proof of Concept
Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion
Other vulnerabilities that affect users on a large scale. This includes but is not limited to the stored XSS that can be automatically propagated on the important pages, the stored XSS that can access administrator authentication information and can be successfully utilized
Leakage of a lot of server-side source code
The permission control defects in the smart contract
The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc
Insecure direct object references(IDOR) with medium security impact
The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects
The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively
Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
Reflected XSS, DOM XSS and Flash based XSS
CSRF with low security impact
SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
No return value and no in-depth utilization of successful SSRF
Missing SPF Record, Email Spoofing with working Proof of Concept (The spoofed email deliver in the Inbox instead of the Spam folder)
Other vulnerabilities with low security impact
Clickjacking on pages with no sensitive actions
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Issues that require unlikely user interaction
Social engineering (including phishing) of CertiK employees
Unconfirmed reports from automated vulnerability scanners
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, Login/Logout CSRF
Non-Sensitive Data Disclosure, for example server version banners
Self-XSS with no security impact
CORS misconfiguration with no security impact
Missing HttpOnly or Secure flags on cookies
Presence of autocomplete attribute on web forms.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Reports out of scope will not be considered. Please review the scope before submitting.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Avoid all privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Any attacks that could cause physical damage or incur costs to other’s property is prohibited.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.