No technology is perfect and we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our assets. Good luck, and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher which may be appealed if additional evidence of an increased impact can be provided.
We will also leverage CVSS ratings if there is any ambiguity in where the submission falls in the VRT to help maintain the severity and impact of the finding. CVSS generally tracks with the VRT as such:
|CVSS v3||10.0-9.0||8.9-7.0||6.9-4.0||<= 3.9 Low Impact||<= 3.9 Informational|
Note that we will not pay for submissions that count as Informational/P5.
We reserve the right to make any final determination of rating levels for any reported vulnerability.
Note that the scope of the program is limited to technical vulnerabilities in our software and websites only. Social engineering attempts or any other attacks in the physical world are out of scope.
The Bullish exchange webapp and its APIs are out of scope and are covered under a separate program which can be found here
- To qualify for bounty, the security bug must be original and previously unreported, and must be reported to us and only us.
- We reserve the right to consider vulnerabilities in third party software as being in or out of scope.
- We will consider those vulnerabilities as in scope if they meet the other requirements for originality and are not covered by another bug bounty program.
- We will work with researchers to coordinate reports with third party programs.
- Any reward for third party vulnerabilities will require engagement with requirements of the third party software including responsible disclosure.
- Public disclosure of third party vulnerabilities even through recognized programs prior to a report to us will disqualify a report for a bounty.
- Regardless of timing and eligibility for reward, we will still work to provide mitigation, disclosure and recognition as part of this program for third party researchers.
General Out of Scope Items
- Denial Of Service Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks against public or 3rd parties, leverage black hat SEO techniques, spam people, or engage in other behavior of a similar nature or with similar consequences.
- URL redirection We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well designed and closely monitored redirectors outweigh their true risks.
- Phishing Websites We welcome reports of phishing websites using any marks, brands or similar identity to any our assets. However, we cannot pay bounties on such reports so as to avoid any creation of incentives for such efforts.
- Flaws affecting the users of out of date systems. The security models of the web, software and blockchain are being constantly fine-tuned. We will not typically reward any problems that affect only the users of outdated or unpatched systems.
- "Coin Scams" There are always scams present attempting to misappropriate real money, crypto currency and personal information. Except where such efforts infringe on a legally protected mark or identity We have no ability to intervene and therefore cannot pay bounties on such reports.
Third Party Assets - Additional Out of Scope Items
- Third party software except as previously noted.
- Public blockchains by third parties will always be out of scope.
The above being said, if you find outdated software and have good reasons to suspect that it poses a well defined security risk, please let us know. If you find security issues with third party public blockchain resources, block producers, etc. and are unable to establish contact directly we will use commercially reasonable efforts to assist in establishing contact.
Staying out of Trouble
Violations of these requirements may result in us finding a researcher ineligible for a reward and/or disqualifying any such researcher for participation in the current program or any future programs. We may also disqualify a researcher for Safe Harbor under these program rules as well as local laws and regulations.
- Please do not try to gain access into our offices, attempt social engineering attacks against our employees, etc.
- Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to users or to us.
Do not perform any actions which would adversely affect the integrity or availability of any data or systems without prior authorization from us. This includes but is not limited to; website defacements, permanent modification or deletion of stored data, changes to the configuration of the operating system or running applications, etc.
Do not engage in any activity that is classed as illegal.
Do not use vulnerability testing tools that automatically generate significant volumes of traffic that could lead to the degradation of our systems or network.
- You represent and warrant that all submissions of vulnerability made by you are your own work, that you have not used information owned by another person or entity, and that you have the legal right to provide the submission of vulnerability in this program to us or Bugcrowd.
- Current or past employees of Bullish or Block.one are not eligible for reward payments, however submissions are still welcome.
- Bullish and our affiliates make no warranties, express or implied, guarantees or conditions with respect to the program. You understand that your participation in the program is at your own risk. To the extent permitted under any applicable laws and regulations, we exclude any implied warranties in connection with the program. If you do not agree to these terms, please do not provide us with any submissions or otherwise participate in this program.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.