BloFin Web & Mobile: Program info

Bug classification：

Critical

Can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way

High

• SQL injection to system (backend loophole reports would be downrated, while submission in * pack uprated if appropriate)
• Unauthorized access to sensitive data, including but not limited to bypassing authentication * to access the backend, weak backend password, and SSRF that obtains considerable * sensitive information from the intranet
• Serious logical design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
• Local arbitrary code execution. Including, but not limited to, locally exploitable code * execution and native code execution vulnerabilities caused by other logical issues
• Other vulnerabilities affecting users on a large scale. Including but not limited to stored XSS that can be automatically propagated by important pages, stored XSS that can obtain administrator authentication information and successfully exploited, etc.

Medium

• Vulnerabilities that require interaction to affect users. Including but not limited to stored XSS * of general pages, CSRF involving core business, etc.
• Ordinary unauthorized operation. Including but not limited to bypassing restrictions, modifying user information, performing user operations, etc.
• Vulnerabilities that can be caused by the successful blasting of sensitive system operations * such as arbitrary account login and arbitrary password retrieval due to verification code logic
• The locally stored sensitive authentication key information is leaked, and it needs to be * effectively used.
• Subdomain takeover

Low

• Local Denial of Service Vulnerability. Including but not limited to client-side local denial of service (parsing file formats, crashes caused by network protocols), exposure of Android component permissions, problems caused by common application permissions, etc.
• General information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
• Reflected XSS (including DOM XSS / Flash XSS)
• Normal CSRF
• URL redirection vulnerability

OUT OF SCOPE - WEB：

• Vulnerabilities in third-party applications
• Vulnerabilities requiring any third-party apps (including malware) to be installed in the victims device
• Other browser sessions not logging out immediately upon a change in password/ setup of 2FA
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation • Issues related to unsafe SSL/TLS cipher suites or protocol version
• Use of known vulnerable libraries without actual proof of concept
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Missing HttpOnly or Secure flags on cookies
• Exposure of internal IP address or domains
• DNS Hijacking
• Community Broken Link Hijacking
• Denial of service
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Internally known issues, duplicate issues, or issues which have already been made public
• Self-XSS
• Tab-nabbing
• Vulnerabilities related to auto-fill web forms
• Content spoofing
• Cache-control related issues
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Issues that have no security impact (E.g. Failure to load a web page)
• Reports from automated tools or scans
• Any activity (like DoS/DDoS) that disrupts our services

OUT OF SCOPE - MOBILE：

• Vulnerabilities that require root/jailbreak
• Installation Path Permissions
• Vulnerabilities that require physical access to a users device
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device• Reports from static analysis of the binary without PoC that impacts business logic
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Reports from automated tools or scans
• Sensitive information retained as plaintext in the device’s memory
• Any kind of sensitive data stored in-app private directory
• Runtime hacking exploits using tools like but not limited to Frida, Xposed,Appmon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard
• Exposure of API keys with no security impact (Google Maps API keys etc.)
• Everything included in the OUT OF SCOPE - WEB section

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps