[Bounty - ongoing] Security Bug Bounty - VeChainThor Wallet







  • Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

    Scope

    This program includes ONLY resources that are listed below:

    Out-of-Scope

    In general, we do not correspond to the severity threshold for Android apps:

    • Sensitive data in URLs/request bodies when protected by TLS
    • Lack of obfuscation is out of scope
    • OAuth & App secret hard-coded/recoverable in APK
    • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
    • Any kind of sensitive data stored in app private directory
    • Lack of binary protection control in android app
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
      In general, we do not correspond to the severity threshold for iOS apps:
    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Sensitive data in URLs/request bodies when protected by TLS
    • Path disclosure in the binary
    • User data stored unencrypted on the file system
    • Lack of obfuscation is out of scope
    • OAuth & app secret hard-coded/recoverable in IPA
    • Crashes due to malformed URL Schemes
    • Lack of binary protection (anti-debugging) controls
    • Snapshot/Pasteboard leakage
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

    What to look for

    Vulnerabilities are critical gaps and technical flaws in systems that can violate the integrity, availability or confidentiality of user’s information, as well as change access rights to it.

    We are interested in next vulnerabilities:

    • Remote code execution and stored XSS
    • Database vulnerability, SQLi
    • Privilege escalation (both vertical and horizontal)
    • Data breach
    • Authentication bypass
    • CSRF
    • Obtaining sensitive information
    • Shell inclusion

    The size of the bounty

    80eca105-68bd-4330-ab34-07fb040cd256-image.png

    *The rewards will be paid out in VET based on the current price.

    How to submit bug reports

    Please submit your report through this FORM!

    The rules of VeChain CyberSecurity Program are as follows:

    • You must not disrupt any service, or compromise personal data
    • You must send a clear textual description of the work done, along with steps to reproduce the vulnerability
    • After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a reward
    • For similar issues, only the first submission is eligible for bounty reward
    • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity
    • It’s entirely at VeChain's discretion to decide whether a bug is significant enough to be eligible for reward and its severity

    Check out the Developer Information Center for technical documentation and Official Gitter Developer Channel to find the development resources. Please make sure you have read and agree to the rules of VeChain Bounty programs. For any question, please contact bounty@vechain.com.


Log in to reply