The Avalanche Websites and APIs (formerly Avalanche General) bug bounty program covers our Web 2.0 internet-facing applications and infrastructure.
In Scope
Target |
Type |
Reward |
*.avalabs.org
|
Web |
Bounty |
*.avax.network
|
Web |
Bounty |
*.avax-test.network
|
Web |
Bounty |
api.avax.network
|
API |
Bounty |
api.avax-test.network
|
API |
Bounty |
*.avax-dev.network
|
Web |
Bounty |
support.avalabs.org
|
Web |
Bounty |
|
Web |
Bounty |
|
Web |
Bounty |
|
Web |
Bounty |
Out of scope
Target |
Type |
Severity |
chat.avax.network
|
Web |
None
|
docs.avax.network
|
Web |
None
|
chat.avalabs.org
|
Web |
None
|
buy.avax.network
|
Web |
None
|
*.snowtrace.io
|
Web |
None
|
community.avax.network
|
Web |
None
|
test*.avax.network
|
Web |
None
|
forum.avax.netowrk
|
Web |
None
|
https://avalanche-hub.com/
|
Web |
None
|
In-Scope Vulnerabilities
- Unauthorized remote code execution
- Domain takeover
- Injection attacks
- Leaked secrets or sensitive information
- Account takeover
- Access control flaws
- Other vulnerability with a clear potential loss
Out-of-Scope Vulnerabilities
- Any Denial-of-Service/Spam Attack of any API
- Vulnerabilities in third-party applications
- Unexploitable theoretical or best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, spam, phishing, physical, or other fraud activities
- Most brute-forcing issues without clear impact
- Non-sensitive Information Disclosure
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Self-XSS that cannot be used to exploit other users
- Missing cookie flags on non-sensitive cookies
- CSRF on unauthenticated endpoints
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Any attacks requiring physical access to a user's device
- CSP issues unless exploitable with POC
- Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
- Vulnerabilities already publicly disclosed will not be eligible for a reward.
- After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Do not intentionally exploit any vulnerabilities you found:
- Avoid causing damage or restrict the availability of products, services or infrastructure
- Don’t access or modify user data you do not own, localize all tests to your accounts
- Perform testing only within the scope
- Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
- Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
- Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
- In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
- You are responsible for staying within your local laws.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
- We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.