Bug bounty
Triaged by Hackenproof

Blockchain.com Web & Mobile: Program info

Blockchain.com Web & Mobile

Company: Blockchain.com
Live
Program is active now
Program infoHackers (21)Reports

Welcome to the Blockchain.com Bug Bounty Program! As a pioneer in the cryptocurrency space, Blockchain.com has been at the forefront of developing crucial infrastructure for the Bitcoin community. We started with the Blockchain Explorer, empowering users to examine transactions and understand the blockchain, and an API that enabled businesses to build on Bitcoin. Furthermore, we provide a widely popular and user-friendly crypto wallet, allowing individuals globally to securely manage their own digital assets. Thank you for your interest in helping us enhance the security of our platform! Your contributions are highly valued.

Getting Started If you are new to Blockchain.com, we strongly encourage you to review our Security Learning Portal to familiarise yourself with our products and their security considerations before submitting any reports.

In scope
TargetTypeSeverityReward
blockchain.com
copy
Copy
success Copied
Web
Critical
Bounty
ws.blockchain.info
copy
Copy
success Copied
API
Critical
Bounty
api.blockchain.info
copy
Copy
success Copied
API
Critical
Bounty
https://play.google.com/store/apps/details?id=piuk.blockchain.android
copy
Copy
success Copied
Android
Critical
Bounty
https://apps.apple.com/us/app/blockchain-com-buy-btc-sol/id493253309
copy
Copy
success Copied
iOS
Critical
Bounty
Target
blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
Critical
RewardBounty
Target
ws.blockchain.info
copy
Copy
success Copied
TypeAPI
Severity
Critical
RewardBounty
Target
api.blockchain.info
copy
Copy
success Copied
TypeAPI
Severity
Critical
RewardBounty
Target
https://play.google.com/store/apps/details?id=piuk.blockchain.android
copy
Copy
success Copied
TypeAndroid
Severity
Critical
RewardBounty
Target
https://apps.apple.com/us/app/blockchain-com-buy-btc-sol/id493253309
copy
Copy
success Copied
TypeiOS
Severity
Critical
RewardBounty
Out of scope
TargetTypeSeverityReward
email-clicks.blockchain.com
copy
Copy
success Copied
Web
None
Bounty
support.blockchain.com
copy
Copy
success Copied
Web
None
Bounty
blog.blockchain.com
copy
Copy
success Copied
Web
None
Bounty
docs.blockchain.com
copy
Copy
success Copied
Web
None
Bounty
institutional.blockchain.com
copy
Copy
success Copied
Web
None
Bounty
Target
email-clicks.blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
None
RewardBounty
Target
support.blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
None
RewardBounty
Target
blog.blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
None
RewardBounty
Target
docs.blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
None
RewardBounty
Target
institutional.blockchain.com
copy
Copy
success Copied
TypeWeb
Severity
None
RewardBounty

Focus Area

IN SCOPE VULNERABILITIES (WEB, MOBILE)

We are interested in the following vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Injection vulnerabilities (SQL, XXE)
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Directory traversal
  • Other vulnerabilities with a clear potential loss

OUT OF SCOPE

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

  • Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
  • Registering multiple wallet accounts with the same email address is an intended feature.
  • Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
  • Clickjacking on pages with no sensitive actions.
  • Password, email, and account policies, such as email address verification, password complexity.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Rate limiting or brute-force issues on non-authentication endpoints
  • Missing flags like HttpOnly or Secure on cookies
  • Missing best practices in Content Security Policy or best practice security headers
  • Presence of autocomplete attribute on web forms
  • Tabnabbing or Reverse tabnabbing
  • Blind SSRF without proven business impact (DNS pingback only is not sufficient)
  • Open redirect - unless an additional security impact can be demonstrated
  • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Phishing websites and malware lookalike applications (please report to Support staff instead)
  • Physical security of our offices, employees, etc.
  • Non-security-impacting UX issues

Third party providers and services

Web applications operated by third parties are only considered in scope under the following ways:

  • Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
  • Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.

The following assets represent third-party applications, along with their vendors to report issues to:

  • email-clicks.blockchain.com (SendGrid)
  • support.blockchain.com (ZenDesk)
  • blog.blockchain.com (Medium)
  • docs.blockchain.com (GitBook)

Program Rules

Responsible Testing

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts

Scope and Limitations

  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners

Vulnerability Reporting

  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment
  • Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
  • You must not be a former or current employee of us or one of its contractor
  • ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps
Rewards
Trusted Payer
This company has funded a bounty deposit.
Range of bounty$100 - $10,000
Severity
Critical
$7,000 - $10,000
High
$3,000 - $5,000
Medium
$700 - $1,250
Low
$100 - $250
Stats
Scope Review4516
Submissions45
Total rewards$0
Types
Web
apps
Platforms
IOS
Android
Project types
Wallet
Hackers (21) View all
dglabz
1
Mostafa Lashin
2
Nischal Karki
3
Abdehaq Gamal
4
Santiko Kusnul Hakim
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time5d
Reward Time10d
Resolution Time30d