WOO Network: Bug Bounty Program

  • $200 – $9,000 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 38
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $1,000 within the last 3 months

Latest hall of famers

Recently joined this program

No technology is perfect and WOO Network believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web applications and API. Good luck, and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

The final bounty will be the Base Bounty + PII Bonus (if any) +Special Bonus (if any)

type Category Maximum Rewards Notes
P1 Remote Code Execution (RCE) $10,000 The ability to execute arbitrary system commands on a remote server with no circumstances beyond the attacker’s control will qualify for a maximum reward.
P1 Server Side Request Forgery (SSRF) $6000 – $9000 The ability to make arbitrary network requests within WOO Network’s internal network and read sensitive data would qualify for a maximum reward. Factors that may limit severity include: Blind SSRF (unable read data or only certain file types, like images) and Limited to the type of requests that can be made (e.g. POST only).
P1 SQL Injection $6000 – $9000
P1 Sensitive File Access $6000 – $9000
P2 Account takeover $2000 – $4000 The maximum reward is reserved for account takeover vulnerabilities that require no user interaction.
P2 Logic flaw $2000 – $4000 This includes (non-exhaustive) ways to exploit the fact that the application does not behave as expected, such as: Changing/altering of parameters that results in unintended behavior (Eg: IDOR) or Bypassing paywall, approval process, business workflow within the application or Bypassing authentication mechanism.
P3 Cross-Site Scripting (XSS) $1000 - $2000 XSS vulnerabilities are limited to a base reward of $1,000. If you can access sensitive data, you may also be eligible for the PII bonus. If the XSS can be escalated to a more severe vulnerability, it will be evaluated under that category.
P3 CSRF $1000 - $2000
P4 Other valid vulnerabilities $200 - $1500

Bonus rewards in addition to base bounties:

Type Bonus amount
Special Bonus Up to $5000
Personal information leakage Up to $5000

Report Assessment and Bounty Calculations

1) Base Bounty Maximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.
2) Other rewards: Personal information leakage (PII) We aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.

  • Category A – Max $5000:
    • Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)
    • Biometric data (Example: Fingerprint features used for authentication)
    • Official documents used for identification (Example: Passport)
    • Any information covered by Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)
  • Category B – Max $2000:
    • Partially identifying information (Example: Full address incl. apartment number, if applicable)
    • Information not supposed to be available to the attacker (Example: Account Amount and Transaction History)
  • Category C – Max $1000:
    • Other types of sensitive user information (Example: Full name, List of previous purchases)

3) Other rewards: Special Bonus This category is for rewarding special contributions. This is entirely up to the WOO Network Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased up to $5,000.

A few examples of things we will be looking for are:

  • Novel and innovative approach and exploit
  • Creative chaining of exploits
  • Easy to understand report and good description root cause of issue
  • Vulnerabilities that could undermine the safety of any user or validator's fund/fee
  • Vulnerabilities related to key generation, encryption, decryption, signing and verification
  • Remote leaks of unencrypted private keys / mnemonic / key seed
  • Vulnerabilities that could severely undermine trading or token economy.

Examples of issues that we are looking for:

  • Vulnerabilities that can cause a loss of user funds/assets remotely
  • Vulnerabilities that can cause exposure of private keys or mnemonic seed phrase remotely
  • Vulnerabilities in chain-related implementations
  • Denial of service of the wallet app
  • Remote code execution
  • Insecure cryptographic implementation for sensitive functions such as wallet generation, transaction signing etc.

Testing is only authorized on the targets listed as in scope. Any domain/property of WOO Network} not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to WOO Network, you can report it to this program. However, be aware that it is ineligible for rewards or points-based compensation.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.