1. Main
  2. Programs
  3. Status.app
  4. Status

Status: Program Info

Triaged by HackenProof
Status.app
Submit report

Status strives to be a secure communication tool that upholds human rights. Designed to enable the free flow of information, protect the right to private, secure conversations, and promote the sovereignty of individuals.

Scope

In Scope

Target Type Reward
https://apps.apple.com/us/app/status-private-communication/id1178893006
 iOS Bounty
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Mobile-v1.19.0-d6a6c4.apk
 Android Bounty
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Desktop-v0.9.0-ef27bb.dmg

macOS desktop application

 Other Bounty
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Desktop-v0.9.0-ef27bb.exe

Windows desktop application

 Other Bounty
https://status-im-files.ams3.cdn.digitaloceanspaces.com/StatusIm-Desktop-v0.9.0-ef27bb.tar.gz

Linux desktop application

 Web Bounty
*.status.im
 Web Bounty
Status Smart Contracts
 Smart Contract Bounty
*.status.app
 Web Bounty

Out of scope

Target Type Severity
https://discuss.status.im/
 Web None
test.*.status.im
 Web None
dev.*.status.im
Web None

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
  • Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report received (provided that we can fully reproduce).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im, Waku & Vac brands or its users. This includes social engineering (e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you gain access to sensitive information such as personal information, credentials as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
  • Only reports submitted to this program and against assets in scope will be eligible for a monetary award. Nevertheless there might be exceptions that can be elegible for a monetary reward, depending on the impact.
  • Before causing damage or potential damage: Stop, report what you've found and requested additional testing permission.
  • Previous bounty amounts are not considered a precedent for future bounty amounts.
  • Minimize the mayhem. Adhere to program rules at all times.
  • The vulnerability must not be previously known to Status team.

The following issues are considered out of scope:

  • Current Issues or code marked as TODO/FIXME within the Status.im Github repositories (will be regarded as duplicates)
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Any physical attacks against Status property or data centers
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Vulnerabilities in third-party applications
  • Assets that do not belong to the company
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Missing HTTP security headers
  • Lack of Secure and HTTPOnly cookie flags
  • Vulnerabilities that require root/jailbreak
  • Issues in software or hardware not under Status.im control: Vulnerabilities that have their root cause in an upstream dependency (e.g., React-Native) might be applicable, but have their severity lowered by at least 1 grade (e.g., Critical -> High, Medium -> Low)).

Feedback

We want to ensure that we are running properly our bug bounty program, for that reason we would love to hear your comments. If you would like to provide feedback on how we can improve our program, please contact us at [email protected].

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Status.im and our users safe; happy hacking!

Disclaimer

All testing environment without clear impact for Status Company is not eligible for the bounty and will be marked as Out of scope.

Disclosure Guidelines

  • Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Status.im or HackenProof employees) prior to public disclosure

Rewards

Range of bounty

$100 - $5,000

Severity

Critical
$3,000 - $5,000
High
$1,000 - $3,000
Medium
$300 - $1,000
Low
$100 - $300

Stats

$7,500
94

Categories

Platform Network Wallet

Types

web API infrastructure database smart contract

Hackers (113)

View all

Name

Rank

krevetk0

1

mikkocarreon

2

Fastra

3

sc scanon

4

SLA
(Service Level Agreement)
Time within which the program's triage team must respond

Response Type

Business days

First Response

3 d

Triage Time

5 d

Reward Time

35 d

Resolution Time

35 d