No technology is perfect and Bullish believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our assets. Good luck, and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Bullish will also leverage CVSS ratings if there is any ambiguity in where the submission falls in the VRT to help maintain the severity and impact of the finding. CVSS generally tracks with the VRT as such:
|CVSS v3||10.0-9.0||8.9-7.0||6.9-4.0||<= 3.9 Low Impact||<= 3.9 Informational|
Note that Bullish will not pay for submissions that count as Informational/P5.
Bullish reserves the right to make any final determination of rating levels for any reported vulnerability.
Note that the scope of the program is limited to technical vulnerabilities in Bullish software and websites only. The Bullish exchange webapp and its APIs (once launched), including pilot.bullish.com, are out of scope and will be subject to a separate program. Please do not try to sneak into Bullish offices, attempt phishing attacks against our employees, and so on.
- Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks against public or 3rd parties, leverage black hat SEO techniques, spam people, or engage in other behaviour of a similar nature or with similar consequences.
- To qualify for bounty, the security bug must be original and previously unreported, and must be reported to Bullish and only Bullish.
- We reserve the right to consider vulnerabilities in third party software as being in or out of scope.
- We will consider those vulnerabilities as in scope if they meet the other requirements for originality and are not covered by another bug bounty program.
- We will work with researchers to coordinate reports with third party programs.
- Any reward for third party vulnerabilities will require engagement with requirements of the third party software including responsible disclosure.
- Public disclosure of third party vulnerabilities even through recognized programs prior to a report to Bullish will disqualify a report for a bounty.
- Regardless of timing and eligibility for reward, Bullish will still work to provide mitigation, disclosure and recognition as part of this program for third party researchers.
General Out of Scope Items
- URL redirection We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well designed and closely monitored redirectors outweigh their true risks.
- Phishing Websites We welcome reports of phishing websites using any marks, brands or similar identity to any Bullish assets. However, we cannot pay bounties on such reports so as to avoid any creation of incentives for such efforts.
- Flaws affecting the users of out of date systems. The security models of the web, software and blockchain are being constantly fine tuned. Bullish will typically not reward any problems that affect only the users of outdated or unpatched systems.
- "Coin Scams" There are always scams present attempting to misappropriate real money, crypto currency and personal information. Except where such efforts infringe on a legally protected mark or identity Bullish has no ability to intervene and therefore cannot pay bounties on such reports.
Third Party Assets - Additional Out of Scope Items
- Third party software except as previously noted.
- Public blockchains by third parties will always be out of scope.
The above being said, if you find outdated software and have good reasons to suspect that it poses a well defined security risk, please let us know. If you find security issues with third party public blockchain resources, block producers, etc. and are unable to establish contact directly we will use commercially reasonable efforts to assist in establishing contact.
Staying out of Trouble
Violations of these requirements may result in Bullish finding a researcher ineligible for a reward and/or disqualifying any such researcher for participation in the current program or any future programs. We may also disqualify a researcher for Safe Harbor under these program rules as well as local laws and regulations.
- Please do not try to sneak into Bullish (or anyone else's) offices, attempt phishing attacks against our employees, and so on.
- Please, never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to users or to Bullish.
- Obviously do not engage in activity that is illegal.
- Do not use vulnerability testing tools that automatically generate very significant volumes of traffic except in a closed environment within your control.
- You represent and warrant that all submissions of vulnerability made by you are your own work, that you have not used information owned by another person or entity, and that you have the legal right to provide the submission of vulnerability in this program to us or Bugcrowd.
- Bullish and our affiliates make no warranties, express or implied, guarantees or conditions with respect to the program. You understand that your participation in the program is at your own risk. To the extent permitted under any applicable laws and regulations, we exclude any implied warranties in connection with the program. If you do not agree to these terms, please do not provide us with any submissions or otherwise participate in this program.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.