Yes, Authereum has a bug bounty program.
Scope for Web Applications
Accepted, in-scope vulnerabilities include, but are not limited to:
- Disclosure of sensitive or personally identifiable information
- Cross-Site Scripting (XSS)
- Server-side or remote code execution (RCE)
- Authentication or authorization flaws, including insecure direct object references and authentication bypass
- Injection vulnerabilities, including SQL and XML injection
- Significant security misconfiguration with a verifiable vulnerability
- Exposed credentials, disclosed by Authereum or its employees, that pose a valid risk to an in scope asset
subdomains used for demo purposes are out-of-scope.
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Username and email enumeration on public facing systems (i.e. using server responses to determine whether a given account exists)
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Attacks involving payment fraud, theft, or malicious merchant accounts
- Man-in-the-Middle attacks
- Vulnerabilities involving stolen credentials or physical access to a device
- Social engineering attacks, including those targeting or impersonating internal employees by any means
- Open redirection, except in the following circumstances:
- Clicking an Authereum-owned URL immediately results in a redirection
- A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)
- Host header injections without a specific, demonstrable impact
- Denial of service (DOS) attacks using automated tools
- Self-XSS, which includes any payload entered by the victim
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
- Login/logout CSRF
- Infrastructure vulnerabilities, including:
- Issues related to SSL certificates
- DNS configuration issues
- Server configuration issues (e.g. open ports, TLS versions, etc.)
- Most vulnerabilities within our sandbox, lab, or staging environments, except Braintree.
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
- Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Authereums's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
- Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset
- Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk.
- Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
- Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
- Password policy
- Rate limiting on non-sensitive endpoints. Rate limit bugs will be considered low severity.
- Subdomains that are managed by 3rd parties such as support.authereum.com (authereum.zendesk.com) and docs.authereum.com (authereum.gitbook.io) are out-of-scope.
Bug Submission Requirements
For all submissions, please include:
- Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
- Exploit code
- Traffic logs
- Web/API requests and responses
- Email address or user ID of any test accounts
- IP address used during testing
- Informational: $20
- Low severity (ie rate limit issues): $50
- Medium: TBD
- High: TDB
- Critical: TBD
Bounty rewards are determined on a case-by-case basis.
Smart contract bug bounty program
For smart contract bug bounties, visit the smart contract bounty program page.
Note: Authereum is officially shutting down . Read more here.