Status: Program info

No specific focus area has been defined so far.

• Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
• Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report received (provided that we can fully reproduce).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im, Waku & Vac brands or its users. This includes social engineering (e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• If you gain access to sensitive information such as personal information, credentials as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
• Only reports submitted to this program and against assets in scope will be eligible for a monetary award. Nevertheless there might be exceptions that can be elegible for a monetary reward, depending on the impact.
• Before causing damage or potential damage: Stop, report what you've found and requested additional testing permission.
• Previous bounty amounts are not considered a precedent for future bounty amounts.
• Minimize the mayhem. Adhere to program rules at all times.
• The vulnerability must not be previously known to Status team.

The following issues are considered out of scope:

• Current Issues or code marked as TODO/FIXME within the Status.im Github repositories (will be regarded as duplicates)
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Any physical attacks against Status property or data centers
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
• Vulnerabilities in third-party applications
• Assets that do not belong to the company
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Missing HTTP security headers
• Lack of Secure and HTTPOnly cookie flags
• Vulnerabilities that require root/jailbreak
• Issues in software or hardware not under Status.im control: Vulnerabilities that have their root cause in an upstream dependency (e.g., React-Native) might be applicable, but have their severity lowered by at least 1 grade (e.g., Critical -> High, Medium -> Low)).

Feedback

We want to ensure that we are running properly our bug bounty program, for that reason we would love to hear your comments. If you would like to provide feedback on how we can improve our program, please contact us at [email protected].

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Status.im and our users safe; happy hacking!

Disclaimer
All testing environment without clear impact for Status Company is not eligible for the bounty and will be marked as "Out of scope".

• Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Status.im or HackenProof employees) prior to public disclosure