Cybersecurity of the company and the security of our users' data is a top priority for
us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay
rewards.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
| iOS | Critical | Bounty | |
| Android | Critical | Bounty |
We are interested in the next vulnerabilities:
- Remote code execution and stored XSS
- Database vulnerability, SQLi
- Privilege escalation (both vertical and horizontal)
- Data breach
- Authentication bypass
- CSRF
- Obtaining sensitive information
- Shell inclusion
Out-of-Scope
In general, they do not correspond to the severity threshold for Android apps:
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation is out of scope
- OAuth & App secret hard-coded/recoverable in APK
- Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
- Any kind of sensitive data stored in app private directory
- Lack of binary protection control in android app
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
In general, they do not correspond to the severity threshold for iOS apps:
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of obfuscation is out of scope
- OAuth & app secret hard-coded/recoverable in IPA
- Crashes due to malformed URL Schemes
- Lack of binary protection (anti-debugging) controls
- Snapshot/Pasteboard leakage
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
- Localize all your tests to your account. Don't affect other users.
- Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- It’s forbidden to perform DoS / DDoS on resources in the Scope.
- Follow disclosure guidelines.
To participate in the contest, you must agree and follow the rules described in this policy.
You must be the first to report a vulnerability to receive a reward.
You must send a clear textual description of the work done, along with steps to reproduce
the vulnerability.
After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability
makes it ineligible for a bounty. Also, please do not store screenshots and / or executable
codes and scripts related to the vulnerability discovered on publicly available services and
resources so that the information is not available to third parties.