[赏金计划—火爆进行中]安全漏洞赏金—唯链雷神钱包






  • 企业的网络安全以及用户数据的安全是我们的首要任务。因此,唯链启动了一个安全漏洞赏金计划。

    业务范围

    这个计划仅适用于如下资源:

    以下问题不在范围内
    总的来说,对于安卓版钱包,我们不接受如下漏洞报告:

    • Sensitive data in URLs/request bodies when protected by TLS
    • Lack of obfuscation is out of scope
    • OAuth & App secret hard-coded/recoverable in APK
    • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
    • Any kind of sensitive data stored in app private directory
    • Lack of binary protection control in android app
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
      In general, we do not correspond to the severity threshold for iOS apps:
    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Sensitive data in URLs/request bodies when protected by TLS
    • Path disclosure in the binary
    • User data stored unencrypted on the file system
    • Lack of obfuscation is out of scope
    • OAuth & app secret hard-coded/recoverable in IPA
    • Crashes due to malformed URL Schemes
    • Lack of binary protection (anti-debugging) controls
    • Snapshot/Pasteboard leakage
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

    该找些什么样的漏洞
    漏洞指的是那些系统中会影响用户信息完整性、可获得性、机密性或改变用户权限的严重缺陷以及技术问题
    我们关注的是以下漏洞:

    • Remote code execution and stored XSS
    • Database vulnerability, SQLi
    • Privilege escalation (both vertical and horizontal)
    • Data breach
    • Authentication bypass
    • CSRF
    • Obtaining sensitive information
    • Shell inclusion

    漏洞评级及奖励标准
    bug bounty 奖励2.png

    *奖励将会依照实时币价以VET的形式发放

    如何提交漏洞报告

    请您通过此在线表格提交您的报告

    唯链网络安全计划规定如下:

    • 禁止扰乱任何生产服务或泄露个人数据
    • 您必须提交书面文件,阐述已经完成的工作以及复制漏洞的步骤
    • 提交报告后,请勿透露漏洞信息给任何人或机构。一旦漏洞公开,您将失去获奖资格
    • 如多人报告相似漏洞,只奖励最先提交者
    • 需要声明的是,如果您发现多个漏洞,我们将以其中风险等级最高的漏洞为标准为您提供奖励
    • 漏洞风险等级以及获奖资格最终解释权归唯链基金会所有

    您可在唯链开发者专区获取相关技术文件,或在唯链官方Gitter社区获取开发资源。提交申请前,请确保已阅读并同意唯链赏金计划规则。如有问题,请联系bounty@vechain.com


Log in to reply