Solv Web & Infrastructure : Program info

IN SCOPE VULNERABILITIES

All in-scope vulnerability reports must include a Proof of Concept (PoC) that demonstrates real-world impact. Submissions without a PoC will not be considered.

Web & Application Vulnerabilities

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc.)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal

Infrastructure & Cloud Vulnerabilities

• Cloud infrastructure misconfigurations
• Network vulnerabilities
• Container security issues
• Server configuration and infrastructure software bugs
• Identity Access Management (IAM) issues
• Logging, monitoring, and alerting gaps
• Compound or multi-step attacks
• Leakage of internal authentication credentials
• Disclosure of internal network details
• Compromise of infrastructure management interfaces
• Exposure of confidential system configurations
• Disclosure of internal communication platforms

Other

• Any other vulnerability with a clear potential for loss (considered at our discretion)

OUT OF SCOPE VULNERABILITIES

Vulnerabilities identified in out-of-scope resources are generally not eligible for rewards unless they present a significant business risk, as determined at our sole discretion.

General Exclusions

• Recently (less than 30 days) disclosed zero-day vulnerabilities
• Vulnerabilities in third-party applications (excluding critical vulnerabilities)
• Assets that do not belong to the company
• Social engineering, phishing, physical, or other fraud activities
• Reports generated by automated scanners or exploit tools (without researcher analysis or actionable proof)
• Reports that state software is out of date/vulnerable without a proof of concept
• Theoretical or purely speculative exploits without demonstrated business impact
• Best practices concerns

Web Vulnerabilities Exclusions

• Vulnerabilities affecting users of outdated browsers or platforms
• Publicly accessible login panels without proof of exploitation
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service (DoS/DDoS)
• Moderately sensitive information disclosure
• Spam (SMS, email, etc.)
• Missing HTTP security headers
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking
• Descriptive error messages (e.g., Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms available to anonymous users (e.g., the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating clear security impact
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content / HTTPS Mixed Content Scripts
• Manipulation with Password Reset Token
• MitM and local attacks
• Response manipulations without demonstration of system state change

Infrastructure Vulnerabilities Exclusions

• Certificates/TLS/SSL-related issues
• DNS issues (i.e., MX records, SPF records, DMARC records, etc.)
• Server configuration issues (i.e., open ports, TLS, etc.) without demonstrated impact

Testing Guidelines

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don't access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don't spam forms or account creation flows using automated scanners
• Don't break any law and stay in the defined scope

Reward Rules

• Bounty reward is determined by the proportion of potential damage and is limited by a severity rewards range
• The rewards are paid in $SOLV, subject to the project’s decision.
• KYC is mandatory for the payment of rewards related to Medium, High, and Critical severity vulnerability reports.
• In case you find chain vulnerabilities we'll pay only for vulnerability with the highest severity
• Non-production vulnerabilities are limited to High severity
• Maximum Critical rewards are reserved for vulnerabilities that demonstrate:
  • Direct loss of user funds without requiring user interaction
  • Leakage of sensitive cryptographic material leading to unauthorized access to user assets

Confidentiality

• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps
• AI-generated reports without runable PoC are not accepted under this program.