Cronos Web: Program info

IN-SCOPE: WEB/APP VULNERABILITIES

Only the latest release version deployed to mainnet is considered as in-scope of the bug bounty program. Please note the following are out of scope: All folders and files labeled as “Mock” or “Test”

Impacts in scope

All web vulnerabilities are covered here:

• Remote Code Execution
• Significant manipulation of the account balance
• Leakage of sensitive data
• XSS/CSRF/Clickjacking affecting sensitive actions
• Theft of privileged information
• Partial authentication bypass
• Other vulnerability with clear potential for financial or data loss
• Other XSS (excluding Self-XSS)
• Other CSRF (excluding logout CSRF)

OUT OF SCOPE: WEB/APP VULNERABILITIES

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks that rely on social engineering
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing/Text injection issues
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, directory listing without sensitive information, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• Attacks requiring privileged access from within the organization
• Clickjacking/UI redressing with minimal security impact
• Tab-nabbing / Self-XSS / Denial of service (DoS) / Spamming / Usability issues
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Vulnerabilities in third party applications which make use of the Crypto.com OpenAPI
• Reports from automated tools or scans, without exploitability demonstration
• Vulnerabilities related to autofill web forms
• Use of known vulnerable libraries without actual proof of concept
• Vulnerabilities that require physical access to a user's device

• Any testing with mainnet or public testnet contracts is prohibited by this bug bounty program; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts is prohibited by this bug bounty program
• Attempting phishing or other social engineering attacks against our employees and/or customers is prohibited by this bug bounty program
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) is prohibited by this bug bounty program
• Public disclosure of an unpatched vulnerability in an embargoed bounty is prohibited by this bug bounty program
• Avoid using web application scanners for automatic vulnerability searching or automated testing of services which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary
• You must not be a former or current employee of us or one of its contractor
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)