VeChainThor Wallet: Program info

We are interested in the next vulnerabilities:

• Remote code execution and stored XSS
• Database vulnerability, SQLi
• Privilege escalation (both vertical and horizontal)
• Data breach
• Authentication bypass
• CSRF
• Obtaining sensitive information
• Shell inclusion

Out-of-Scope

In general, they do not correspond to the severity threshold for Android apps:

• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation is out of scope
• OAuth & App secret hard-coded/recoverable in APK
• Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in app private directory
• Lack of binary protection control in android app
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

In general, they do not correspond to the severity threshold for iOS apps:

• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• User data stored unencrypted on the file system
• Lack of obfuscation is out of scope
• OAuth & app secret hard-coded/recoverable in IPA
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls
• Snapshot/Pasteboard leakage
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

• Localize all your tests to your account. Don't affect other users.
• Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
• In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
• It’s forbidden to perform DoS / DDoS on resources in the Scope.
• Follow disclosure guidelines.

To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.

You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.

After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.