Avalanche Websites and APIs: Program info

In-Scope Vulnerabilities

• Unauthorized remote code execution
• Domain takeover
• Injection attacks
• Leaked secrets or sensitive information
• Account takeover
• Access control flaws
• Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

• Any Denial-of-Service/Spam Attack of any API
• Vulnerabilities in third-party applications
• Unexploitable theoretical or best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, spam, phishing, physical, or other fraud activities
• Most brute-forcing issues without clear impact
• Non-sensitive Information Disclosure
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Self-XSS that cannot be used to exploit other users
• Missing cookie flags on non-sensitive cookies
• CSRF on unauthenticated endpoints
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Any attacks requiring physical access to a user's device
• CSP issues unless exploitable with POC

• Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
• Vulnerabilities already publicly disclosed will not be eligible for a reward.
• After reporting, details of a vulnerability may only be made public with expressed authorization from Ava Labs.
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Do not intentionally exploit any vulnerabilities you found:
• Avoid causing damage or restrict the availability of products, services or infrastructure
• Don’t access or modify user data you do not own, localize all tests to your accounts
• Perform testing only within the scope
• Intimidation, threats against Ava Labs team members and community, whether actual or simulated, are strictly forbidden
• Social engineering (including phishing) targeting Ava Labs team members and community is strictly forbidden
• Physical intrusion attempts targeting Ava Labs' property or data centers is strictly forbidden.
• In case you find chain vulnerabilities you’ll be eligible for the reward based on overall severity.
• You are responsible for staying within your local laws.
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or Ava Labs security team member.
• We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.