Bug Bounty Submission Policy and Scope

Ny pentration tests


Our bug bounty process is in currently under review and as such all bounty submissions are on hold as of Monday the 7th of January 2019. Any reports submitted prior to this date will be assessed as per this document

This page will be updated when the submission process has reopened.

General Policy

Security is obviously a top priority for us, however we simply do not have the time and resources to devote to the scanning and testing that it requires. We are enlisting the help of both the Zen community, and the greater InfoSec community to help find and resolve any issues.

If you discover a potential security issue, please report it as soon as possible, we will work with you to validate the issue. If the issue is validated and determined to be within scope, we will make every effort to correctly resolve it.  Reporters are expected to allow a minimum of two weeks for Horizen to acknowledge the report before publicly disclosing the issue.

Currently, there is no way to make a report public after the issue is resolved.  We are working on implementing this, and reporters are allowed to share reports and bounties as they see fit after the resolution is applied.  If requested, Horizen can provide validation that the reporter did in fact submit a report and what bounty was awarded.

Submission Process

Reports may be submitted to the Bug Bounty program via the following methods:

  1. Email to support[at]horizen.global
  2. Ticket created at support[dot]horizen.global
  3. Discord Direct Message to one of the following users:
    1. @cronic:9551
    2. @macZenTeam:8537
  4. Encrypted email to security[at]horizen.global
    1. The public key is available here: https://zencashofficial.github.io/keys/
    2. This is the preferred method for any extremely critical security issues.

Note: Please indicate in subject or message body that the submission is a bug bounty.

Rewards and Payouts

Rewards are paid out in ZEN based on the price on CoinMarketCap from the Horizen Community Fund after the issue is resolved.  When possible, reports are rated according to the Bugcrowd Vulnerability Rating Taxonomy, and payouts generally follow this structure:


Note: This reward structure is under review and may change periodically.


P1: < 2500USD Payout

P2: < 1000USD Payout

P3: < 500USD Payout

P4: < 200USD Payout

P5: < 100USD Payout


If the report is for a known issue, no bounty will be awarded. Bounties may be paid for valid reports if the issue is determined to be a WontFix.

Ultimately the final call for all bounty payouts is up to a human, not a process. We will still validate and investigate any report, regardless of whether it meets our criteria or not.  It's very possible that an "invalid" report will still receive a payout, or that a report will receive a higher payout then indicated above.  We also may elect to award a lower payout, or no payout for valid reports.  Discretion is ours and ours alone, but we try to be as fair as possible.  Comparable Hackerone reports will often be used as a reference when determining payout amounts.

Scope

All Horizen software other than the website (e.g. Core zend code, Wallets, Secure Node Tracker, Zencashjs etc) is In-Scope as long as testing is performed on Testnet or pre-production servers if possible.  Testing on Mainnet or production servers may remove any eligibility for a bounty.

The following lists are examples of web vulnerabilities that are currently In- and Out-of-Scope for the Bug Bounty program. These lists are not inclusive and will be updated as needed, so it's advised to check this often.

Examples of web vulnerabilities that are currently In-Scope for the Bug Bounty program:

  • XSS
  • CSRF/SSRF
  • SQLi (All types)
  • Directory Traversal
  • LFI/LFD
  • XXE
  • File Upload issues
  • Any type of RCE
  • Anything within the current OWASP Top 10

Examples of web vulnerabilities that are currently Out-of-Scope for the Bug Bounty program:

  • Overly descriptive error messages
  • Open redirects
  • Discovered login panels (unless they're exploitable)
  • HTTP headers (e.g. X-Frame-Options, X-XSS-Protection, etc)
  • Broken links
  • Fingerprinting
  • Common file disclosure (e.g. robots.txt)
  • Missing patches/updates (without working PoC)
  • HTTP usage rather then HTTPS
  • Clickjacking
  • Anything requiring physical access
  • CSRF in anonymously accessible pages
  • Wordpress Username Enum
  • Autocomplete or Save Password funtionality
  • Missing Cookie flags
  • CSP
  • Minor DNS issues (e.g. SPF SoftFail, DKIM/DMARC...)
  • Vulnerabilities only affecting outdated browsers
  • Any Phishing
  • Most brute forcing
  • DoS(S)
  • Spamming
  • Jira/Confluence Cloud Bugs



Credit to Grabtaxi for inspiring much of the content: https://hackerone.com/grab




© 2020 Horizen. All rights reserved.