Avalanche Websites and APIs: Program Info

Triaged by HackenProof

Ended 196 days ago

In Scope

Target Type Reward
Web Bounty
Web Bounty
Web Bounty
API Bounty
API Bounty
Web Bounty
Web Bounty
Web Bounty
Web Bounty
Web Bounty

Out of scope

Target Type Severity
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None

In-Scope Vulnerabilities

  • Unauthorized remote code execution
  • Domain takeover
  • Injection attacks
  • Leaked secrets or sensitive information
  • Account takeover
  • Access control flaws
  • Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

  • Any Denial-of-Service/Spam Attack of any API
  • Vulnerabilities in third-party applications
  • Unexploitable theoretical or best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, spam, phishing, physical, or other fraud activities
  • Most brute-forcing issues without clear impact
  • Non-sensitive Information Disclosure
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Self-XSS that cannot be used to exploit other users
  • Missing cookie flags on non-sensitive cookies
  • CSRF on unauthenticated endpoints
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Any attacks requiring physical access to a user's device
  • CSP issues unless exploitable with POC
  • Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
  • Vulnerabilities already publicly disclosed will not be eligible for a reward.
  • After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Do not intentionally exploit any vulnerabilities you found:
  • Avoid causing damage or restrict the availability of products, services or infrastructure
  • Don’t access or modify user data you do not own, localize all tests to your accounts
  • Perform testing only within the scope
  • Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
  • Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
  • Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
  • In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
  • You are responsible for staying within your local laws.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
  • We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.