Waku: Program Info

Triaged by HackenProof

Waku is the communication layer for Web3. Decentralized communication that scales. Private, secure, and it runs anywhere. This program covers the Javascript & Go implementations.

In Scope

Target Type Severity Reward

A JavaScript implementation of the Waku v2 protocol (https://rfc.vac.dev/spec/10/).

Code Medium Bounty

We are interested in finding vulnerabilities in the examples but will consider the severity lower

Code Low Bounty
Code Medium Bounty

We are interested in finding vulnerabilities in the examples but will consider the severity lower

Code Low Bounty

Out of scope

Target Type Severity
Code None

No specific focus area has been defined so far. But a very valuable type of report would reveal a vulnerability in the implementations (js-waku or go-waku) which would trigger an update of the specification of the Waku v2 protocol (https://rfc.vac.dev/spec/10/). Those type of reports would be marked as High or Critical.

  • Please do not engage with infrastructure hosted on infra.status.im and all subdomains as any scanning and testing activity is treated as an incident. Violations lead to an exclusion from our program.
  • Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward.
  • Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report received (provided that we can fully reproduce).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Status.im, Waku & Vac brands or its users. This includes social engineering (e.g., phishing, vishing, smishing), physical security, and denial of service attacks against users, employees, or Status.im as a whole. Social engineering is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you gain access to sensitive information such as personal information, credentials as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery.
  • Only reports submitted to this program and against assets in scope will be eligible for a monetary award.
  • Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and data.
  • Before causing damage or potential damage: Stop, report what you've found and requested additional testing permission.
  • Previous bounty amounts are not considered a precedent for future bounty amounts.
  • The vulnerability must not be previously known to Waku team.

The following issues are considered out of scope:

  • Current Issues or code marked as TODO/FIXME within the Status.im Github repositories (will be regarded as duplicates)
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Any physical attacks against Status property or data centers
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity at the network or application layer that could lead to the disruption of our service (DoS), especially any form of spam (network level or client side).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Issues in software or hardware not under Status.im control: Vulnerabilities that have their root cause in an upstream dependency (e.g., React-Native) might be applicable, but have their severity lowered by at least 1 grade (e.g., Critical -> High, Medium -> Low)).
  • Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Status.im or HackenProof employees) prior to public disclosure