Status is a secure messaging app, crypto wallet, and Web3 browser built with state-of-the-art technology.
Status uses a suite of privacy-preserving, peer-to-peer messaging protocols called Waku. It removes centralized third parties from messaging and enables private, secure, censorship-free communication with no single point of failure.
Check Out The Rewards
If you find a vulnerability according to the bounty rules, Status will reward you:
- Critical: $3,000 – $5,000
- High: $1,000 – $3,000
- Medium: $300 – $1,000
- Low: $100 – $300
Join The Bounty Hunt
There are 4 code repositories to scope.
Make sure your reports contain info about these incidents:
- Please do not engage with infrastructure hosted on infra.status.im and all subdomains as any scanning and testing activity is treated as an incident. Violations lead to an exclusion from our program.
- Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
- Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report received (provided that we can fully reproduce).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im, Waku & Vac brands or its users. This includes social engineering (e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- If you gain access to sensitive information such as personal information, credentials as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
- Only reports submitted to this program and against assets in scope will be eligible for a monetary award.
- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools – these tools include payloads that could trigger state changes or damage production systems and data.
- Before causing damage or potential damage: Stop, report what you’ve found and requested additional testing permission.
- Previous bounty amounts are not considered a precedent for future bounty amounts.
To increase your chances of finding a critical bug, read Waku documentation here.
Once you’re ready, click here to join the bounty hunt!