Bug bounty
Triaged by HackenProof

Status: Program info

Status

Company: IFT
This program is active now
Program info

Status strives to be a secure communication tool that upholds human rights. Designed to enable the free flow of information, protect the right to private, secure conversations, and promote the sovereignty of individuals.

In scope
TargetTypeSeverityReward
https://apps.apple.com/us/app/status-private-communication/id1178893006
iOS
None
Bounty
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Mobile-v1.19.0-d6a6c4.apk
Android
None
Bounty
macOS desktop application available at https://status.app/ for Intel and Silicon

macOS desktop application

Other
None
Bounty
https://status.app/api/download/windows

Windows desktop application

Other
None
Bounty
https://status.app/api/download/linux

Linux desktop application

Web
None
Bounty
*.status.im
Web
None
Bounty
Status Smart Contracts
Smart Contract
None
Bounty
*.status.app
Web
None
Bounty
Target
https://apps.apple.com/us/app/status-private-communication/id1178893006
TypeiOS
Severity
None
RewardBounty
Target
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Mobile-v1.19.0-d6a6c4.apk
TypeAndroid
Severity
None
RewardBounty
Target
macOS desktop application available at https://status.app/ for Intel and Silicon

macOS desktop application

TypeOther
Severity
None
RewardBounty
Target
https://status.app/api/download/windows

Windows desktop application

TypeOther
Severity
None
RewardBounty
Target
https://status.app/api/download/linux

Linux desktop application

TypeWeb
Severity
None
RewardBounty
Target
*.status.im
TypeWeb
Severity
None
RewardBounty
Target
Status Smart Contracts
TypeSmart Contract
Severity
None
RewardBounty
Target
*.status.app
TypeWeb
Severity
None
RewardBounty
Out of scope
TargetTypeSeverityReward
https://discuss.status.im/
Web
None
Bounty
test.*.status.im
Web
None
Bounty
dev.*.status.im
Web
None
Bounty
Target
https://discuss.status.im/
TypeWeb
Severity
None
RewardBounty
Target
test.*.status.im
TypeWeb
Severity
None
RewardBounty
Target
dev.*.status.im
TypeWeb
Severity
None
RewardBounty

Focus Area

No specific focus area has been defined so far.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
  • Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report received (provided that we can fully reproduce).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im, Waku & Vac brands or its users. This includes social engineering (e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you gain access to sensitive information such as personal information, credentials as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
  • Only reports submitted to this program and against assets in scope will be eligible for a monetary award. Nevertheless there might be exceptions that can be elegible for a monetary reward, depending on the impact.
  • Before causing damage or potential damage: Stop, report what you've found and requested additional testing permission.
  • Previous bounty amounts are not considered a precedent for future bounty amounts.
  • Minimize the mayhem. Adhere to program rules at all times.
  • The vulnerability must not be previously known to Status team.

The following issues are considered out of scope:

  • Current Issues or code marked as TODO/FIXME within the Status.im Github repositories (will be regarded as duplicates)
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Any physical attacks against Status property or data centers
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Vulnerabilities in third-party applications
  • Assets that do not belong to the company
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Missing HTTP security headers
  • Lack of Secure and HTTPOnly cookie flags
  • Vulnerabilities that require root/jailbreak
  • Issues in software or hardware not under Status.im control: Vulnerabilities that have their root cause in an upstream dependency (e.g., React-Native) might be applicable, but have their severity lowered by at least 1 grade (e.g., Critical -> High, Medium -> Low)).

Feedback

We want to ensure that we are running properly our bug bounty program, for that reason we would love to hear your comments. If you would like to provide feedback on how we can improve our program, please contact us at [email protected].

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Status.im and our users safe; happy hacking!

Disclaimer
All testing environment without clear impact for Status Company is not eligible for the bounty and will be marked as "Out of scope".

Disclosure Guidelines

  • Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Status.im or HackenProof employees) prior to public disclosure
Rewards
Range of bounty$100 - $5,000
Severity
Critical
$3,000 - $5,000
High
$1,000 - $3,000
Medium
$300 - $1,000
Low
$100 - $300
Stats
Total rewards$7,800
Bugs found260
Categories
PlatformNetworkWallet
Types
webAPIinfrastructuredatabasesmart contract
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time5d
Reward Time35d
Resolution Time35d