Mind Network Bug Bounty Program

Details

Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Mind Network, quality, creativity, or novelty of submissions may modify payouts within a given range. In case of multiple reports about the same issue,Mind Network will reward the earliest submission, regardless of how the issue was reported. CVSS standards will be used for vulnerability rating (CVSS3.1).

Blockchain & SmartContracts

Websites and Applications

Scopes

Smart Contract

Contract Address

Websites and application

Out of Scopes

Websites and Applications

• Theoretical impacts without any proof or demonstration
• Impacts involving attacks requiring physical access to the victim device
• Impacts involving attacks requiring access to the local network of the victim
• Reflected plain text injection (e.g. url parameters, path, etc.)
• This does not exclude reflected HTML injection with or without JavaScript
• This does not exclude persistent plain text injection
• Any impacts involving self-XSS
• Captcha bypass using OCR without impact demonstration
• CSRF with no state modifying security impact (e.g. logout CSRF)
• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly") without demonstration of impact
• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
• Impacts causing only the enumeration or confirmation of the existence of users or tenants
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
• Lack of SSL/TLS best practices
• Impacts that only require DDoS
• UX and UI impacts that do not materially disrupt use of the platform
• Impacts primarily caused by browser/plugin defects
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
• SPF/DMARC misconfigured records
• Missing HTTP Headers without demonstrated impact
• Automated scanner reports without demonstrated impact
• UI/UX best practice recommendations
• Non-future-proof NFT rendering.

Reporting rules

• Rewards or recognition require that the Mind Network security team can reproduce and verify an issue and that the security impact is clear;
• Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;
• Do not conduct social engineering and phishing to people;
• Do not leak the details of the vulnerability;
• Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
• Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;
• Vulnerability testing is only limited to PoC(proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.test, such as deletion, modification, and other operations, are required to be explained in the report.

Links

• Website
• Twitter
• Discord
• Telegram