This bug bounty program is focused on Web in Cronos which will directly lead to loss of user funds, or breach of sensitive data, or deletion of site data.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://vvs.finance/Web/App |
Web | Critical | Bounty |
https://tectonic.financeWeb/App |
Web | Critical | Bounty |
https://veno.financeWeb/App |
Web | Critical | Bounty |
https://fulcrom.financeWeb/App |
Web | Critical | Bounty |
https://orby.networkWeb/App |
Web | Critical | Bounty |
https://ferroprotocol.comWeb/App |
Web | Critical | Bounty |
https://minted.network/Web/App |
Web | Critical | Bounty |
https://cronosid.xyz/Web/App |
Web | Critical | Bounty |
IN-SCOPE: WEB/APP VULNERABILITIES
Only the latest release version deployed to mainnet is considered as in-scope of the bug bounty program. Please note the following are out of scope:
All folders and files labeled as “Mock” or “Test”
Impacts in scope
All web vulnerabilities are covered here:
- Remote Code Execution
- Significant manipulation of the account balance
- Leakage of sensitive data
- XSS/CSRF/Clickjacking affecting sensitive actions
- Theft of privileged information
- Partial authentication bypass
- Other vulnerability with clear potential for financial or data loss
- Other XSS (excluding Self-XSS)
- Other CSRF (excluding logout CSRF)
OUT OF SCOPE: WEB/APP VULNERABILITIES
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses
Websites and Apps
- Theoretical vulnerabilities without any proof or demonstration
- Content spoofing/Text injection issues
- Captcha bypass using OCR
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, directory listing without sensitive information, and most stack traces
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring unlikely user actions
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Lack of SSL/TLS best practices
- Attacks requiring privileged access from within the organization
- Clickjacking/UI redressing with minimal security impact
- Tab-nabbing / Self-XSS / Denial of service (DoS) / Spamming / Usability issues
- Vulnerabilities only exploitable on out-of-date browsers or platforms
- Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI
- Reports from automated tools or scans, without exploitability demonstration
- Vulnerabilities related to autofill web forms
- Use of known vulnerable libraries without actual proof of concept
- Vulnerabilities that require physical access to a user's device
- Any testing with mainnet or public testnet contracts is prohibited by this bug bounty program; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts is prohibited by this bug bounty program
- Attempting phishing or other social engineering attacks against our employees and/or customers is prohibited by this bug bounty program
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) is prohibited by this bug bounty program
- Public disclosure of an unpatched vulnerability in an embargoed bounty is prohibited by this bug bounty program
- Avoid using web application scanners for automatic vulnerability searching or automated testing of services which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
- You must not be a former or current employee of us or one of its contractor
- ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
All bug reports must come with a Proof-of-Concept (PoC) in order to be considered for a reward. For web/app bug reports, if the Report does not include a valid (PoC), the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly. The specific amount of the bounty will vary according to:
- The potential for abuse of the bug
- The detection complexity of an exploit of the bug
- The impact of the bug.
- Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk, but also taking into account branding and PR considerations, at the discretion of the team.
All vulnerabilities that directly affect the smart contract, and app that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are prioritized. Meaning, the team may choose to apply a temporary fix to the bug (or pause the contract) before resolving the bug report. This to ensure that the affected funds are safe while the team analyse the bug report, and NOT a confirmation of the bug report’s validity.
The only web vulnerabilities in scope are those which will directly lead to loss of user funds, or breach of sensitive data, or deletion of site data. For web vulnerabilities, the Cronos team will use CVSS calculator to figure out the severity and based on that they will determine the reward for the bounty.
Cronos team requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Once the report is deemed valid, you will need to fill up the KYC form here. The collection of this information will be done by the Cronos team.
Payouts are handled by Cronos team and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.
Low (0.1 - 3.9) 100 - 300
Medium (4.0 - 6.9) 300 - 600
High (7.0 - 8.9) 600 - 1500
Critical (9.0 - 10.0) 1500 - 2500
Cronos team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.