Blockchain.com Web & Mobile: Program info

IN SCOPE VULNERABILITIES (WEB, MOBILE)

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerabilities with a clear potential loss

OUT OF SCOPE

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
• Registering multiple wallet accounts with the same email address is an intended feature.
• Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
• Clickjacking on pages with no sensitive actions.
• Password, email, and account policies, such as email address verification, password complexity.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing flags like HttpOnly or Secure on cookies
• Missing best practices in Content Security Policy or best practice security headers
• Presence of autocomplete attribute on web forms
• Tabnabbing or Reverse tabnabbing
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• Open redirect - unless an additional security impact can be demonstrated
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Phishing websites and malware lookalike applications (please report to Support staff instead)
• Physical security of our offices, employees, etc.
• Non-security-impacting UX issues

Third party providers and services

Web applications operated by third parties are only considered in scope under the following ways:

• Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
• Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.

The following assets represent third-party applications, along with their vendors to report issues to:

• email-clicks.blockchain.com (SendGrid)
• support.blockchain.com (ZenDesk)
• blog.blockchain.com (Medium)
• docs.blockchain.com (GitBook)

Responsible Testing

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts

Scope and Limitations

• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners

Vulnerability Reporting

• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
• You must not be a former or current employee of us or one of its contractor
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps