Gas: 30Bug Bounty Program
- Guidelines
- We ask that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
- Use the identified communication channels to report vulnerability information to us
- Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Vinascan until we’ve resolve the issue
- Provide us with at least 7 working days to investigate the issue and revert back to you
- If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:
- Recognize your contribution on Vinascan.io (list below for the last 50 contributors)
- Reward you with a bounty (up to a maximum of $2500 paid out per month):
- - $1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk *
- - $500 in crypto equivalent if you identified a vulnerability that presented a high risk *
- - $250 in crypto equivalent if you identified a vulnerability that presented a moderate risk *
- - $0 in crypto equivalent if you identified a vulnerability that presented a low risk *
- - Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless
- Researcher will provide us with a wallet address based on the reported explorer for the payout within 7 days after we have resolved the issue.* vulnerability level will be determined at our discretion** in the event the vulnerabilty exists in multiple explorers, only the reported explorer is entitled to the rewards
- Scope
- Vinascan (vinascan.io) and explorers under EaaS
- We are interested in the following vulnerabilities:
- Business logic issues
- Remote code execution (RCE)
- Database vulnerability, SQLi
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Other vulnerability with a clear potential loss
- Out of scope
- Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold
- Visual typos, spelling mistakes, etc
- Findings derived primarily from social engineering (e.g. phishing, etc)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Certificates/TLS/SSL related issues
- DNS issues (i.e. MX records, SPF records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Spam or Social Engineering techniques
- Security bugs in third-party applications or services
- XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
- Login/Logout CSRF-XSS
- https/ssl or server-info disclosure related issues
- https Mixed Content Scripts
- Brute Force attacks
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Missing HTTP security headers
- Weak password policy
- HTML injection
- How to Report a Security Vulnerability
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
- Your name/handle and a link for recognition in our Hall of Fame (twitter, reddit, facebook, hackerone, etc)
- List down the affected explorer(s)
- Email us at [Bug Bounty Report]
HALL OF FAMESpecial thanks to the following researchers for helping us make Etherscan and other explorers a better place
- - SamCzun
- - Martin Abbatemarco
- - Andrew Curtin
Powered by VinachainVinascan is a Block Explorer and Analytics Platform for Vinachain, a decentralized smart contracts platform.