Linen API & Mobile: Program info

Only the issues under the scope described above are eligible for the reward.

IN-SCOPE VULNERABILITIES (WEB, MOBILE)

We are interested in the following vulnerabilities:

• Business logic issues
• Access to assets stored in users' wallets
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information: user emails, passwords or any personal information
• Other vulnerability with a clear potential loss of assets

OUT OF SCOPE

• Targets specified as "Out of scope"
• MITM/physical access to a user’s device
• SSL/TLS Configuration
• Denial of Service attacks
• Any third-party service used by Linen
• Spam or Social Engineering techniques, including SPF and DKIM issues
• Theoretical vulnerabilities without actual proof of concept
• Information disclosure with minimal security impact (E.g., stack traces, path disclosure, directory listings, logs)
• DNSSEC setup

• Decisions on the eligibility and size of a reward are the sole discretion of Linen.
• When possible, avoid privacy violations, degradation of user experience, and disruption to production systems or data during security testing.
• Any activities conducted in a manner consistent with these rules and guidelines will be considered authorized conduct, and we will not initiate legal action against you.
• In case that your findings is valid you will be asked for KYC verification to proceed with payments.
• Filling in a W-9 or W-8ben form might be also requested.

• Report vulnerabilities as soon as you discover them, but keep the information confidential between yourself and the Linen team until we have resolved the issue.
• Public disclosure of a vulnerability will make it ineligible for a bounty.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• Issues must be new to the team. They cannot already been identified by another bounty hunter or by our audit.
• The vulnerability must be a qualifying vulnerability.
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• Issues without steps to reproduce are ineligible for the bug bounty.
• You must not be a former or current employee/contractor of us.
• Decisions on the eligibility and size of a reward are at the sole discretion of Linen team.