Author Topic: Crypto.com Bug Bounty  (Read 2615 times)

Angelina

  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Crypto.com Bug Bounty
« on: April 19, 2023, 05:54:51 PM »
Submit bug report: https://crypto.com
@cryptocom

Crypto.com is on a mission to accelerate the world's transition to cryptocurrency, bringing cryptocurrency to every wallet.
Note: If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.
We have not set a maximum reward for the reporting of security vulnerabilities and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:
The effect of the bug.
The cause of the bug.
Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
The process through which the bug was discovered. Besides earning a place in our security hall of fame, every security vulnerability submitted that results in a fix on our side will receive a monetary reward.


Crypto.com recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Note: This program is for the disclosure of software security vulnerabilities only.
Program Rules
Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
 We will not approve Public Disclosure requests until the vulnerability has been resolved.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
By submitting a bug, you agree to be bound by the rules.
Scope
In Scope Assets: Please refer to the Structured Scope at the bottom of the policy page
An issue identified in the applications listed in the structured scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.
All services provided by Crypto.com are eligible for our bug bounty program, including the Crypto.com Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].
Note: Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.
Testing Resources and Guidance
Crypto.org Chain Testnet (Croseied) relevant resources:
https://crypto.org/explorer/
https://github.com/crypto-org-chain/chain-main
Nodes:
13.70.17.170
13.90.34.32
40.79.80.22
mainnet.crypto.org
seed-0.crypto.org
seed-1.crypto.org
seed-2.crypto.org
https://crypto.org/docs/getting-started/mainnet.html#step-2-configure-chain-maind
Qualifying Vulnerabilities in the Crypto.com Exchange and areas we are concerned with:
Remote Code Execution
Significant manipulation of the account balance
Leakage of sensitive data
XSS/CSRF/Clickjacking affecting sensitive actions
Theft of privileged information
Partial authentication bypass
Other vulnerability with clear potential for financial or data loss
Other XSS (excluding Self-XSS)
Other CSRF (excluding logout CSRF)
Qualifying Vulnerabilities in the Crypto.org Chain and areas we are concerned with
We are looking to find security issues affecting our blockchain protocol such as:
Bugs in our implementation of the cryptographic primitives
Remote Code Execution on any Crypto.com node and the reference wallet implementation
Vulnerabilities that disrupt the consensus result and performance
Unauthorized movement of funds, access to private keys
Vulnerabilities that affect the stability, connectivity, or availability of the whole network,
individual node, or the reference wallet implementation
Transaction origin spoofing
Vulnerabilities that affect the stability or availability of Crypto.org Chain / Explorer
Product and Feature Updates [regularly updated]
To keep you updated about our new products and feature releases so that you are aware of our full attack surface, be sure to check this section regularly.
For more information about Crypto.com’s recent dev updates, you may also refer to our blog.
Update - 30 November 2020: “Margin Trading” service released
Crypto.com has released a new feature called Margin Trading service on the crypto.com/exchange platform.
The new Margin Trading enhancement released recently allows users to separate margin wallet, obtain a loan to margin trade, place and cancel orders in crypto.com Exchange, and will continuously monitor each user’s Margin Level.
Update - 11 September 2020: CRO Swap added into scope
This Program is limited to the vulnerabilities affecting CRO swap in the following contracts:
https://github.com/crypto-com/cro-staking
https://github.com/crypto-com/swap-contracts-periphery
https://github.com/crypto-com/swap-contracts-core
For purposes of the Program, bugs in Swap Contracts Periphery or CRO Staking will be considered less severe than those found in Swap Contracts Core.
For your reported vulnerability to be eligible, you must:
Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock on any ERC-20 token on CRO swap (but not on any third party platform interacting with CRO swap) and that is within the scope of this Program.
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
Out-of-scope Vulnerabilities
Non-Qualifying Vulnerabilities in the Crypto.com Exchange
Theoretical vulnerabilities without actual proof of concept
Email verification deficiencies, expiration of password reset links, and password complexity policies
Clickjacking/UI redressing with minimal security impact
Email enumeration (E.g. the ability to identify emails via password reset)
Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
Tab-nabbing Self-XSS Denial of service (DoS) Spamming Usability issues
Vulnerabilities only exploitable on out-of-date browsers or platforms
Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI
Reports from automated tools or scans, without exploitability demonstration
Vulnerabilities related to autofill web forms
Use of known vulnerable libraries without actual proof of concept
Lack of security flags in cookies
Issues related to unsafe SSL/TLS cipher suites or protocol version
Content spoofing Cache-control related issues Exposure of internal IP address or domains
Missing security headers that do not lead to direct exploitation
CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)
Vulnerabilities that require physical access to a user's device
Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)
Non-Qualifying Vulnerabilities in the Crypto.org Chain
Vulnerabilities in Intel SGX
Vulnerabilities in Cosmos SDK
Vulnerabilities in a dependent 3rd party library
Vulnerabilities in the demo wallet example in HERE
Missing features, missing best practices, known limitations, known bugs, e.g. >⅓ Byzantine faults
Non-Qualifying Vulnerabilities for CRO Swap assets
The following are not eligible:
The example contracts and the contracts in the test folder for the periphery Contracts link set forth above;
Any contract removed from the list of contracts in the Periphery Contracts link set forth above (such list may change from time to time without notice);
Bugs in any third party contract or platform that interacts with CRO swap;
Non-Qualifying Vulnerabilities in the Mobile Apps
Any CRO cashback gained via a typical purchase, payment or cash advance
Shared links leaked through the system clipboard.
Any URIs leaked because a malicious app has permission to view URIs opened
Absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on external storage and private directory.
Lack of obfuscation is out of scope
auth "app secret" hard-coded/recoverable in APK.
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI redressing with minimal security impact.
Distributed denial of service attacks (DDOS).
DNSSEC Misconfiguration
Lack of binary protection (anti-debugging) controls.
Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
Path disclosure in the binary
Snapshot/Pasteboard leakage
Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Require physical connection to the device with developer-level debugging tool including but not limited to ADB.
Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.
Scenarios requiring excessive user interaction or tricking users like phishing.
Exploit is based on a complex scenario or the probability of exploit is very low.
Reports based on information taken or obtained through illegal access of Crypto.com Confidential information.
Internally known Issues
Crypto.com is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes.
Disclaimer:
Crypto.com reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.
CRO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible.
By submitting a bug, you agree to be bound by the above rules.
Safe Harbour:
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
« Last Edit: April 26, 2023, 06:07:42 PM by Angelina »