1. Guidelines
We ask that all researchers:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Use the identified communication channels to report vulnerability information to us
Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and NFTScan until we’ve resolve the issue
Provide us with at least 7 working days to investigate the issue and revert back to you
2. If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:
- Reward you with a bounty (up to a maximum of $2000 paid out per month):
- $1000-$1500 in crypto equivalent if you identified a vulnerability that presented a critical risk *
- $500 in crypto equivalent if you identified a vulnerability that presented a high risk *
- $200 in crypto equivalent if you identified a vulnerability that presented a moderate risk *
- $0 in crypto equivalent if you identified a vulnerability that presented a low risk *
- Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless
Researcher will provide us with an Ethereum address for the payout within 7 days after we have resolved the issue.
- vulnerability level will be determined at our discretion
- in the event the vulnerabilty exists in multiple explorers, only the first explorer is entitled to the rewards
3. Scope
WebSite:https://eth.nftscan.com/
OpenAPI:https://developer.nftscan.com/
We are interested in the following vulnerabilities:
- Business logic issues
- Remote code execution (RCE)
- Database vulnerability, SQLi
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Other vulnerability with a clear potential loss
4. Out of scope
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold
- Visual typos, spelling mistakes, etc
- Findings derived primarily from social engineering (e.g. phishing, etc)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Certificates/TLS/SSL related issues
- DNS issues (i.e. MX records, SPF records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Spam or Social Engineering techniques
- Security bugs in third-party applications or services
- XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
- Login/Logout CSRF-XSS
- https/ssl or server-info disclosure related issues
- https Mixed Content Scripts
- Brute Force attacks
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Username/email enumeration via Login/Forgot Password Page error messages
- Missing HTTP security headers
- Weak password policy
5. How to Report a Security Vulnerability
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
- Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc)
- Email us at hello@nftscan.com
HALL OF FAME
Special thanks to the following researchers for helping us make NFTScan a better place.
...