Blockport's Vulnerability Disclosure

  • Points per vulnerability
  • Managed by Bugcrowd

Program stats

3 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

40 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

What is Blockport:

Blockport aims to bridge the traditional world of finance and the new digital (crypto) economy.

In 2017 we saw a rising opportunity. The cryptocurrency and blockchain space was blooming and ripe for adoption by the majority of our society. We set out to build a user-friendly exchange that connects social with trading, enabling people to effortlessly trade cryptocurrency and help them adopt the new digital economy. We called our company and platform Blockport - an abbreviation for “Blockchain portal”, providing everyone access to the world of cryptocurrency and blockchain.

We are working hard to ensure a secure and stable product so that we can soon start on-boarding more users with confidence.


About this program:

Naturally, financial systems come with a great responsibility for anyone involved in the platform's security. Therefore, Blockport requires that all participants:

  • Do not access customer or employee PII (Personal Identifiable Information), information considered pre-release, or any other confidential information. If you access any of these by accident, we ask you to immediately stop testing and submit the vulnerability.
  • Stop testing and report any found issue immediately if you gain access to any non-public application or information.
  • Do not in any way negatively impact Blockport's user experience. This means anything like disrupting production systems, or destroying data during security testing.
  • Perform research only within the scope set out below.
  • Use the Bugcrowd report submission form to report vulnerability information to us.
    • Collect only the information necessary to demonstrate the vulnerability.
    • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
  • Follow the Bugcrowd “Coordinated Disclosure” rules.

In turn, Blockport will:

  • Work together with you to understand and attempt to resolve the issue quickly (confirming the report quickly after submission);
  • Recognize your addition to our Hall of Fame, if you are the first to report an issue of P1 or P2 and we make a technical change based on the issue.

To promote the responsible disclosure of security issues, Blockport will not file a lawsuit against you or ask law enforcement to investigate you if can clearly determine that your research and disclosure meets the above requirements and overall guidelines.


Rewards/ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Currently, this program offers no monetary compensation for findings at this time. We aim to find out what reward structure fits us and the community best, and in the meantime we absolutely encourage anyone with a valid security issue to responsibly disclose it to us. Please note that we are planning to add monetary compensation in the future, and we aim to reward very valuable submissions currently too.

We sincerely thank you for helping making Blockport more secure!

Targets

In scope

Target name Type
app.blockport.io/api API
app.blockport.io Website
blockport.io Website

Any domain/property of Blockport not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Target info:

Target Description
https://app.blockport.io/api The backend of the app - all functionality goes through this API; There is currently no public documentation available.
https://app.blockport.io The application that consumes the API and is the primary interface of Blockport
https://blockport.io Our marketing site - there isn't much dynamic content here, but if you can find a vulnerability, let us know!

Access:

Researchers are free to self-provision and test any of the above assets as they're able to. No credentials or funds will be provided by Blockport at this time.


Focus Areas:

We ask researchers to focus their efforts in the following areas:

  • Business Logic
  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Cross Instance Data Leakage/Access (unauthorized data access between instances)
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
  • API vulnerabilities
  • Path/Directory Traversal Issues

Out of scope (IMPORTANT)

  • Any websites or applications managed by other entities than Blockport (note: these might be integrated into an app within scope, for example in case of Usabilla on https://app.blockport.io)
  • jobs.blockport.io
  • support.blockport.io
  • blog.blockport.io

In addition, findings that fall into the “Excluded Submission Types” listed below will also be flagged as out of scope.

Excluded Submission Types

Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.

This Responsible Disclosure program follows Bugcrowd’s Vulnerability Rating Taxonomy with some additional vulnerability classes we consider to be excluded below:

  • Cookie valid after logout
  • Cookie valid after password change/reset
  • Cookie time to expiration
  • Forgot password autologin
  • Autologin token reuse
  • Statically served content over HTTP
  • Physical Testing (we value personal contact, but just send us a message)
  • Social Engineering
  • Any form of phishing
  • Denial of service attacks
    • Resource Exhaustion attacks
    • Issues related to rate limiting
  • Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
  • User enumeration
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
    • Issues that have had a patch available from the vendor for at least 6 months
    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
    • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in our security systems or software (e.g. UXSS)
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.