Golden Security Bug Bounty Program
Add to Watchlist
Added to Watchlist
up to $10,000
up to 10,000 USD
Normal, Low Risks
Golden recently opened up its dApp to help facilitate improvements, analyze malicious behaviors, and ensure an easy-to-use solution for its customer experience. In an attempt to bring stronger transparency to its customers, Golden is opening up a security Bug Bounty to its web2, web3, and protocol. Golden will have increased payouts for validated findings until December 1, 2022.
Scope and Reporting
This is a black box test against the Golden production environment. In order to have your vulnerability verified, you will need to send the report to [email protected]. Please make sure the subject is clear that this is a bug bounty request (e.g., Bug Bounty: XSS found in site).
All findings MUST include:
- Repeatable, programmatic ways for the internal team to replicate and validate
- Vulnerability title, summary, and walkthrough
- All reports in English
Ensure that you adhere to Amazon’s Penetration Testing Policy.
Not in Scope
- Denial of Service (DoS/DDoS) style of attacks. If you believe you may have a DoS-related vulnerability then email [email protected] and Golden will work with internal testing or give you a specific time frame to test.
- Social Engineering style of attacks. This includes anything that would require another user to be coerced into navigating to or interacting with an “attack”. Examples include:
- Web Site Spoofing
- Link Manipulation. (e.g., changing an “l” to a “1” in a url to deceive a user)
- Brute force style attacks. This primarily focuses on gaining access to user’s accounts.
- Accessing another user’s data by any means. If you need to test an exploit that will interact with another user then set up a second user account for testing or reach out to [email protected] if you need specific testing requirements.
Golden does not solely focus on severity ratings (e.g., CVSS) for a vulnerability. Golden focuses on business impact of the vulnerability. Findings are rewarded on a first come basis. Golden breaks this down into three (3) payout categories where each category has a max payout.
Critical Max Payout: $10,000
Any vulnerability that if exploited would lead to a total compromise of dApp, Golden, or affiliated properties.
- Gaining elevated or privileged access to infrastructure
- Gaining interactive access to dApp or supporting applications
- Ability to fully control dApp
High Max Payout: $5,000
Any vulnerability that would lead to mass data loss. Examples include:
- Ability to steal all/any user’s access keys
- Ability to download, export, delete databases
- Ability to change data associated with other users
Medium Max Payout: $1,000
Any vulnerability that would lead to performance degradation or data spillage. Examples include:
- Persistent Cross Site Scripting (XSS) that can access another user’s settings
- Application vulnerability via injecting/modifying API
- UI bug via data input that could cause performance or security issues
- Associating full wallet IDs to personally identifying information (name, username, or email address).
Vulnerabilities Excluded from Payouts
Depending on their impact, some of the reported issues may not qualify if they do not present a considerable amount of risk to the business. Below are a few examples of non qualifying payouts.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- Username / email enumeration.
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
- Cache-Control and Pragma
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack.
- SSL Forward secrecy not enabled.
- SSL weak/insecure cipher suites.
- Self-XSS reports will not be accepted.
- Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information
- Email bombing/flooding/rate limiting
Valid submissions will receive a response within a timely manner (usually a week). Once a bug bounty has been given a payout severity (e.g., Critical) then Golden will request the following information to reward the bounty. golden will be performing due diligence on evaluation of the submitter. Information requested will include:
- Full Name (Legal Name)
- Discord Username (Optional)
Golden is unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that the project can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Golden rewards bug bounty hunters on a first come, first served basis so if you find a vulnerability that has just been reported the team will not reward you. There is no guarantee of a payout if a bug is submitted and completely at Golden discretion.
Your testing must not violate any law, disrupt, or compromise any data that is not your own.
If you have any questions, please contact [email protected].
- Black Box. Type of testing where Golden shares no sensitive information with the testers. Golden does not grant special accesses and the main goal is to test based on an attacker with no internal knowledge of the systems.
- Scope. Defines the IP addresses, domains, hardware, software, users, networks, and any other data point that an ethical hacker is allowed and not allowed to conduct operations against.
Golden has announced its security bug bounty program. Help secure and improve the protocol: earn testnet points by finding valid vulnerabilities, squash bugs, earn kudos in the community.
from 31 Aug 2022 15:43(UTC+3)