Linen is a self-custodial wallet built with Safe for iOS and Android devices. It eliminates a single point of failure related to private key management by providing easy wallet recovery based on multi-sig technology. Linen does not take custody of user assets, so its security policy is centered on how well the software allows users to safely and privately interact with their own assets
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://apps.apple.com/app/apple-store/id1480509067 |
iOS | Critical | Bounty |
https://api.linen.app/ |
API | Critical | Bounty |
https://play.google.com/store/apps/details?id=app.linen.wallet |
Android | Critical | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
https://linen.app/ |
Web | None |
https://blog.linen.app/ |
Web | None |
https://support.linen.app/ |
Web | None |
Only the issues under the scope described above are eligible for the reward.
IN-SCOPE VULNERABILITIES (WEB, MOBILE)
We are interested in the following vulnerabilities:
- Business logic issues
- Access to assets stored in users' wallets
- Payments manipulation
- Remote code execution (RCE)
- Injection vulnerabilities
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information: user emails, passwords or any personal information
- Other vulnerability with a clear potential loss of assets
OUT OF SCOPE
- Targets specified as
Out of scope
- MITM/physical access to a user’s device
- SSL/TLS Configuration
- Denial of Service attacks
- Any third-party service used by Linen
- Spam or Social Engineering techniques, including SPF and DKIM issues
- Theoretical vulnerabilities without actual proof of concept
- Information disclosure with minimal security impact (E.g., stack traces, path disclosure, directory listings, logs)
- DNSSEC setup
- Decisions on the eligibility and size of a reward are the sole discretion of Linen.
- When possible, avoid privacy violations, degradation of user experience, and disruption to production systems or data during security testing.
- Any activities conducted in a manner consistent with these rules and guidelines will be considered authorized conduct, and we will not initiate legal action against you.
- In case that your findings is valid you will be asked for KYC verification to proceed with payments.
- Filling in a W-9 or W-8ben form might be also requested.
- Report vulnerabilities as soon as you discover them, but keep the information confidential between yourself and the Linen team until we have resolved the issue.
- Public disclosure of a vulnerability will make it ineligible for a bounty.
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- Issues must be new to the team. They cannot already been identified by another bounty hunter or by our audit.
- The vulnerability must be a qualifying vulnerability.
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com.
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- Issues without steps to reproduce are ineligible for the bug bounty.
- You must not be a former or current employee/contractor of us.
- Decisions on the eligibility and size of a reward are at the sole discretion of Linen team.