VeChainThor Wallet
Managed by HackenProof

VeChain

Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

In Scope

Target Type Severity Reward
iOS Critical Bounty
Android Critical Bounty
Severity (CVSSv3) Reward
Critical 3000$
High 1800$
Medium 700$
Low 300$

We are interested in the next vulnerabilities:

  • Remote code execution and stored XSS
  • Database vulnerability, SQLi
  • Privilege escalation (both vertical and horizontal)
  • Data breach
  • Authentication bypass
  • CSRF
  • Obtaining sensitive information
  • Shell inclusion

Out-of-Scope


In general, they do not correspond to the severity threshold for Android apps:

  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

In general, they do not correspond to the severity threshold for iOS apps:

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
  • Localize all your tests to your account. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • It’s forbidden to perform DoS / DDoS on resources in the Scope.
  • Follow disclosure guidelines.

To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward.

You must send a clear textual description of the work done, along with steps to reproduce the vulnerability.

After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a bounty. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.