[赏金计划—火爆进行中]安全漏洞赏金—唯链雷神钱包
-
企业的网络安全以及用户数据的安全是我们的首要任务。因此,唯链启动了一个安全漏洞赏金计划。
业务范围
这个计划仅适用于如下资源:
以下问题不在范围内
总的来说,对于安卓版钱包,我们不接受如下漏洞报告:- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation is out of scope
- OAuth & App secret hard-coded/recoverable in APK
- Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
- Any kind of sensitive data stored in app private directory
- Lack of binary protection control in android app
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
In general, we do not correspond to the severity threshold for iOS apps: - Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of obfuscation is out of scope
- OAuth & app secret hard-coded/recoverable in IPA
- Crashes due to malformed URL Schemes
- Lack of binary protection (anti-debugging) controls
- Snapshot/Pasteboard leakage
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
该找些什么样的漏洞
漏洞指的是那些系统中会影响用户信息完整性、可获得性、机密性或改变用户权限的严重缺陷以及技术问题
我们关注的是以下漏洞:- Remote code execution and stored XSS
- Database vulnerability, SQLi
- Privilege escalation (both vertical and horizontal)
- Data breach
- Authentication bypass
- CSRF
- Obtaining sensitive information
- Shell inclusion
漏洞评级及奖励标准
*奖励将会依照实时币价以VET的形式发放
如何提交漏洞报告
请您通过此在线表格提交您的报告
唯链网络安全计划规定如下:
- 禁止扰乱任何生产服务或泄露个人数据
- 您必须提交书面文件,阐述已经完成的工作以及复制漏洞的步骤
- 提交报告后,请勿透露漏洞信息给任何人或机构。一旦漏洞公开,您将失去获奖资格
- 如多人报告相似漏洞,只奖励最先提交者
- 需要声明的是,如果您发现多个漏洞,我们将以其中风险等级最高的漏洞为标准为您提供奖励
- 漏洞风险等级以及获奖资格最终解释权归唯链基金会所有
您可在唯链开发者专区获取相关技术文件,或在唯链官方Gitter社区获取开发资源。提交申请前,请确保已阅读并同意唯链赏金计划规则。如有问题,请联系bounty@vechain.com