The Avalanche Websites and APIs (formerly Avalanche General) bug bounty program covers our Web 2.0 internet-facing applications and infrastructure.
Hacker Update: As of April 7 we will not accept new sub-domain takeover vulnerabilities until further notice.
In Scope
| Target | Type | Reward |
|---|---|---|
*.avalabs.org |
Web | Bounty |
*.avax.network |
Web | Bounty |
*.avax-test.network |
Web | Bounty |
api.avax.network |
API | Bounty |
api.avax-test.network |
API | Bounty |
*.avax-dev.network |
Web | Bounty |
support.avalabs.org |
Web | Bounty |
Avalanche-Wallet |
Web | Bounty |
AvalancheJS |
Web | Bounty |
Avalanche-Wallet-SDK |
Web | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
chat.avax.network |
Web | None |
docs.avax.network |
Web | None |
chat.avalabs.org |
Web | None |
buy.avax.network |
Web | None |
*.snowtrace.io |
Web | None |
community.avax.network |
Web | None |
test*.avax.network |
Web | None |
forum.avax.netowrk |
Web | None |
avalanche-hub.com |
Web | None |
academy.avax.network |
Web | None |
*.avacloud.io |
Web | None |
In-Scope Vulnerabilities
- Unauthorized remote code execution
- Domain takeover
- Injection attacks
- Leaked secrets or sensitive information
- Account takeover
- Access control flaws
- Other vulnerability with a clear potential loss
Out-of-Scope Vulnerabilities
- Any Denial-of-Service/Spam Attack of any API
- Vulnerabilities in third-party applications
- Unexploitable theoretical or best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, spam, phishing, physical, or other fraud activities
- Most brute-forcing issues without clear impact
- Non-sensitive Information Disclosure
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Self-XSS that cannot be used to exploit other users
- Missing cookie flags on non-sensitive cookies
- CSRF on unauthenticated endpoints
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Any attacks requiring physical access to a user's device
- CSP issues unless exploitable with POC
- Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
- Vulnerabilities already publicly disclosed will not be eligible for a reward.
- After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Do not intentionally exploit any vulnerabilities you found:
- Avoid causing damage or restrict the availability of products, services or infrastructure
- Don’t access or modify user data you do not own, localize all tests to your accounts
- Perform testing only within the scope
- Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
- Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
- Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
- In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
- You are responsible for staying within your local laws.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
- We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.