Avalanche General

Avalanche

Avalanche is an open-source platform for launching highly decentralized applications, new financial primitives, and new interoperable blockchains.

In Scope

Target Type Severity Reward
*.avalabs.org
Web Critical Bounty
*.avax.network
Web Critical Bounty
*.avax-test.network
Web Critical Bounty
api.avax.network
API Critical Bounty
api.avax-test.network
API Critical Bounty
*.pangolin.exchange
Web Critical Bounty
*.aeb.xyz
Web Critical Bounty
*.avax-dev.network
Web Critical Bounty
support.avalabs.org
Web None Bounty

Out of scope

Target Type Severity Reward
chat.avax.network
Web None --
community.avax.network
Web None --
docs.avax.network
Web None --
chat.avalabs.org
Web None --
docs.avalabs.org
Web None --
buy.avax.network
Web None --
gov.pangolin.exchange
Web None --
Severity (CVSSv3) Reward
Critical 10000$
High 5000$
Medium 1000$
Low 100$

In-Scope Vulnerabilities

  • Unauthorized remote code execution
  • Domain takeover
  • Injection attacks
  • Leaked secrets or sensitive information
  • Denial of service - application level
  • Account takeover
  • Access control flaws
  • Application layer denial-of-service
  • Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

  • Vulnerabilities in third-party applications
  • Unexploitable theoretical or best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, spam, phishing, physical, or other fraud activities
  • Most brute-forcing issues without clear impact
  • Network DoS/DDoS issues
  • Non-sensitive Information Disclosure
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Self-XSS that cannot be used to exploit other users
  • Missing cookie flags on non-sensitive cookies
  • CSRF on unauthenticated endpoints
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Any attacks requiring physical access to a user's device
  • CSP issues unless exploitable with POC
  • Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
  • Vulnerabilities already publicly disclosed will not be eligible for a reward.
  • After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Do not intentionally exploit any vulnerabilities you found:
  • Avoid causing damage or restrict the availability of products, services or infrastructure
  • Don’t access or modify user data you do not own, localize all tests to your accounts
  • Perform testing only within the scope
  • Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
  • Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
  • Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
  • In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
  • You are responsible for staying within your local laws.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
  • We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.