DeepWallet and Explorer Bug Bounty

Bug bounty rewards are determined by severity according to CVSS, the Common Vulnerability Scoring Standard. All final reward decisions will be determined by the CertiK Foundation.

Program Policy: Please do not discuss any vulnerabilities, even resolved ones, outside of the program without full consent from the CertiK Chain team. Review all general guidelines before submission.

Bug Ticket Processing Flow

1. Reporting Stage

For all UI and UX bugs, please submit bugs and issues on the Explorer and Wallet category via the CertiK Chain Forum.

For all security vulnerabilities, email the content privately at chain+security@certik.org following the bug report template.

2. Processing Stage

In about one (1) business day, the CertiK Chain team will confirm the threat intelligence per bug ticket. Our security engineers will follow up, evaluate the problem, and feed the intelligence back to the reporter with a 'Under Review' status.

In about four (4) business days, the CertiK Chain team will address the issue, draw conclusions, and record points with a 'Confirmed' or 'Ignored' status. Our security engineers will communicate with the reporter and ask for assistance if necessary.

3. Repairing Stage

The CertiK Chain team will then address the threat intelligence and update the status with 'Fixed' or 'Repaired.' The repairing timeframe depends on the problem severity and the difficulty on a case-by-case basis.

Report Bug Template

When reporting a bug, please ensure all elements are included. The following components will help the CertiK Chain team classify all vulnerabilities quickly and seamlessly.

Elements

Description

ID/name

Keep it brief and use the correct terms. A best practice is to include the name of the feature where you found an issue. A good example could be 'CART - Unable to add a new item to my cart'.

Description/Summary

Explain the bug in a few words, and share it in easy-to-understand language. Keep in mind that your description might be used to search your bug tracking application.

Environment

Depending on your browser, operating system, zoom level and screen size, websites may behave differently from one environment to another.

Source URL

Make it easy for developers to spot the problem by including the URL of the page where you found the bug.

Visual Proof

A visual element, like a screenshot or a video, will help the team understand the problem better and faster.

Steps to reproduce

Make sure to describe, with as much detail as possible, the steps you took before you encountered the bug.

Expected vs. actual results

Explain the results you expected by being as specific as possible. Just saying "the app doesn’t work as expected" is not useful. It's also helpful to describe what was experienced.

Optional

You can also include extra information such as the severity (critical, major, minor, trivial, enhancement), or priority (high, medium, low).

Security Vulnerability Scope

Critical Vulnerabilities

A critical vulnerability refers to vulnerabilities that occur in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.

It includes but is not limited to:

  • Achieve remote code execution on multiple devices in the internal network.

  • Gain core backend super administrator access, leak enterprise core data and cause a severe impact.

  • Smart contract overflow and conditional competition vulnerability.

High-risk Vulnerabilities

  • Remote code execution

  • SQL injection

  • Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, obtain sensitive information in the internal network with SSRF, etc.)

  • XXE vulnerability with high security impact

  • Unauthorized operation that involves money, payment logic bypassing with working Proof of Concept

  • Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion

  • Other vulnerabilities that affect users on a large scale. This includes but is not limited to the stored XSS that can be automatically propagated on the important pages, the stored XSS that can access administrator authentication information and can be successfully utilized

  • Leakage of a lot of server-side source code

  • The permission control defects in the smart contract

Medium-risk Vulnerabilities

  • The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc

  • Insecure direct object references(IDOR) with medium security impact

  • The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects

  • The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively

Low-risk Vulnerabilities

  • Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.

  • General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc

  • Reflected XSS, DOM XSS and Flash based XSS

  • CSRF with low security impact

  • SMS bombs, mail bombs (each system only accepts one type of this vulnerability).

  • No return value and no in-depth utilization of successful SSRF

  • Missing SPF Record, Email Spoofing with working Proof of Concept (The spoofed email deliver in the Inbox instead of the Spam folder)

  • Other vulnerabilities with low security impact

Out of Scope

  • Clickjacking on pages with no sensitive actions

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Missing best practices in SSL/TLS configuration.

  • Any activity that could lead to the disruption of our service (DoS).

  • Issues that require unlikely user interaction

  • Social engineering (including phishing) of CertiK employees

  • Unconfirmed reports from automated vulnerability scanners

  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, Login/Logout CSRF

  • Non-Sensitive Data Disclosure, for example server version banners

  • CSV/formula injection

  • Self-XSS with no security impact

  • CORS misconfiguration with no security impact

  • Missing HttpOnly or Secure flags on cookies

  • Presence of autocomplete attribute on web forms.

Additional Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Reports out of scope will not be considered. Please review the scope before submitting.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Avoid all privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

  • Any attacks that could cause physical damage or incur costs to other’s property is prohibited.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.