Avalanche General

Avalanche

Avalanche is an open-source platform for launching highly decentralized applications, new financial primitives, and new interoperable blockchains.

Please note that OUT OF SCOPE targets take precedent over the IN SCOPE targets, so please check OUT OF SCOPE target list before testing.

In Scope

Target Type Severity Reward
*.avalabs.org
Web Critical Bounty
*.avax.network
Web Critical Bounty
*.avax-test.network
Web Critical Bounty
api.avax.network
API Critical Bounty
api.avax-test.network
API Critical Bounty
*.pangolin.exchange
Web Critical Bounty
*.aeb.xyz
Web Critical Bounty
*.avax-dev.network
Web Critical Bounty
support.avalabs.org
Web None Bounty

Out of scope

Target Type Severity Reward
chat.avax.network
Web None Bounty
community.avax.network
Web None Bounty
docs.avax.network
Web None Bounty
chat.avalabs.org
Web None Bounty
docs.avalabs.org
Web None Bounty
buy.avax.network
Web None Bounty
gov.pangolin.exchange
Web None Bounty
forum.avax.network
Web None Bounty

In-Scope Vulnerabilities

  • Unauthorized remote code execution
  • Domain takeover
  • Injection attacks
  • Leaked secrets or sensitive information
  • Denial of service - application level
  • Account takeover
  • Access control flaws
  • Application layer denial-of-service
  • Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

  • Vulnerabilities in third-party applications
  • Unexploitable theoretical or best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, spam, phishing, physical, or other fraud activities
  • Most brute-forcing issues without clear impact
  • Network DoS/DDoS issues
  • Non-sensitive Information Disclosure
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Self-XSS that cannot be used to exploit other users
  • Missing cookie flags on non-sensitive cookies
  • CSRF on unauthenticated endpoints
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Any attacks requiring physical access to a user's device
  • CSP issues unless exploitable with POC
  • Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
  • Vulnerabilities already publicly disclosed will not be eligible for a reward.
  • After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Do not intentionally exploit any vulnerabilities you found:
  • Avoid causing damage or restrict the availability of products, services or infrastructure
  • Don’t access or modify user data you do not own, localize all tests to your accounts
  • Perform testing only within the scope
  • Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
  • Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
  • Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
  • In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
  • You are responsible for staying within your local laws.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
  • We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.