Skip to main content

Does Authereum have a web bug bounty program?

Support
Updated

Yes, Authereum has a bug bounty program.

Scope for Web Applications

In-Scope Vulnerabilities

Accepted, in-scope vulnerabilities include, but are not limited to:

- Disclosure of sensitive or personally identifiable information
- Cross-Site Scripting (XSS)
- Server-side or remote code execution (RCE)
- Authentication or authorization flaws, including insecure direct object references and authentication bypass
- Injection vulnerabilities, including SQL and XML injection
- Significant security misconfiguration with a verifiable vulnerability
- Exposed credentials, disclosed by Authereum or its employees, that pose a valid risk to an in scope asset

 

In-scope domains:

- authereum.com

subdomains used for demo purposes are out-of-scope.

 

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:


- Username and email enumeration on public facing systems (i.e. using server responses to determine whether a given account exists)
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Attacks involving payment fraud, theft, or malicious merchant accounts
- Man-in-the-Middle attacks
- Vulnerabilities involving stolen credentials or physical access to a device
- Social engineering attacks, including those targeting or impersonating internal employees by any means
- Open redirection, except in the following circumstances:
    - Clicking an Authereum-owned URL immediately results in a redirection
    - A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)
- Host header injections without a specific, demonstrable impact
- Denial of service (DOS) attacks using automated tools
- Self-XSS, which includes any payload entered by the victim
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
- Login/logout CSRF
- Content spoofing without embedding an external link or JavaScript
- Infrastructure vulnerabilities, including:
    - Issues related to SSL certificates
    - DNS configuration issues
- Server configuration issues (e.g. open ports, TLS versions, etc.)
- Most vulnerabilities within our sandbox, lab, or staging environments, except Braintree.
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
- Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Authereums's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
- Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
- Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk.
- Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
- Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
- Password policy
- Rate limiting on non-sensitive endpoints. Rate limit bugs will be considered low severity.

- Subdomains that are managed by 3rd parties such as support.authereum.com (authereum.zendesk.com) and docs.authereum.com (authereum.gitbook.io) are out-of-scope.

 

Bug Submission Requirements

Required information

For all submissions, please include:

- Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
    - Videos
    - Screenshots
    - Exploit code
    - Traffic logs
    - Web/API requests and responses
    - Email address or user ID of any test accounts
    - IP address used during testing

 

Reward Amounts

- Informational: $20

- Low severity (ie rate limit issues): $50

- Medium: TBD

- High: TDB

- Critical: TBD

 

Bounty rewards are determined on a case-by-case basis.

 

Smart contract bug bounty program

For smart contract bug bounties, visit the smart contract bounty program page.

 

Note: Authereum is officially shutting down . Read more here.

Related articles

Comments

0 comments

Article is closed for comments.