1. Guidelines

We ask that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing

  • Use the identified communication channels to report vulnerability information to us

  • Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and NFTScan until we’ve resolve the issue

  • Provide us with at least 7 working days to investigate the issue and revert back to you

2. If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:

  • Reward you with a bounty (up to a maximum of $2000 paid out per month):
  • $1000-$1500 in crypto equivalent if you identified a vulnerability that presented a critical risk *
  • $500 in crypto equivalent if you identified a vulnerability that presented a high risk *
  • $200 in crypto equivalent if you identified a vulnerability that presented a moderate risk *
  • $0 in crypto equivalent if you identified a vulnerability that presented a low risk *
  • Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless

Researcher will provide us with an Ethereum address for the payout within 7 days after we have resolved the issue.

  • vulnerability level will be determined at our discretion
  • in the event the vulnerabilty exists in multiple explorers, only the first explorer is entitled to the rewards

3. Scope



We are interested in the following vulnerabilities:

  • Business logic issues
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

4. Out of scope

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold

  • Visual typos, spelling mistakes, etc
  • Findings derived primarily from social engineering (e.g. phishing, etc)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. MX records, SPF records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Spam or Social Engineering techniques
  • Security bugs in third-party applications or services
  • XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
  • Login/Logout CSRF-XSS
  • https/ssl or server-info disclosure related issues
  • https Mixed Content Scripts
  • Brute Force attacks
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Username/email enumeration via Login/Forgot Password Page error messages
  • Missing HTTP security headers
  • Weak password policy

5. How to Report a Security Vulnerability

  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc)
  • Email us at hello@nftscan.com


Special thanks to the following researchers for helping us make NFTScan a better place.