Bug Bounty is a deal offered by many websites and

software developers by which individuals can receive

recognition and compensation for reporting bugs,
especially those pertaining to exploits and
vulnerabilities.”

There are two approaches to managing Bug Bounties:

some companies choose to self-host their programs,
and some use services of a Bug Bounty Platform to
launch and coordinate them. The best way to give you
an idea on how a Bug Bounty Platform works is to
give an example.

Let’s say we have a Company SoftwareCo that wants to

check its software for security vulnerabilities. We
will illustrate two scenarios – one in which
SoftwareCo hires a traditional cybersecurity company
and another in which SoftwareCo works with a Bug
Bounty Platform.

Scenario 1 – Traditional cyber security company:

1. SoftwareCo hires a security consulting firm

ProtectCo to test their software. ProtectCo is a
typical consulting service provider with a few
dozen employees.
2. ProtectCo will assign a few of its
cybersecurity experts that will be testing
SowtwareCo’s software for 2-4 weeks.
3. After the assessment, ProtectCo will provide
a report where it will describe all
vulnerabilities that ProtectCo’s employees have
found during the assessment and will hand it
over to SoftwareCo.
4. Head of IT at SoftwareCo will be responsible
for fixing the bugs.That’s the standard process
that most companies go through when conducting a
 security assessment of their digital assets.
Now, let’s take a look at Scenario 2, where
SoftwareCo chooses a Bug Bounty Platform (BBP):

1. At first, BBP will help SoftwareCo create a

Bug Bounty Program Policy – a document that
describes in detail what resources are within
scope/out of scope, what is the reporting
procedure, what are the rewards for various
vulnerabilities and other rules.
2. Once that’s done – BBP will make an
announcement to hundreds of its researchers that
a Bug Bounty Program for SoftwareCo is live,
with a Call to Action to take part in it.
3. Dozens of security researchers will be
testing SoftwareСo’s digital assets for months
(or even years).
4. All vulnerabilities are being reported via
the platform. BBP’s triage team validates each
report.
5. SoftwareCo can monitor their program
activity 24/7 and gets live updates on found
vulnerabilities and money spent. As you can see
– in the second scenario lots and lots of
researchers with various backgrounds will test
SoftwareCo’s digital assets for a prolonged
period of time, greatly reducing the chance that
a bug will “slip by”. Traditional security
consulting companies simply can’t compete with
talent-base that is available to Bug Bounty
Platforms.

Many companies have a mindset of building an

“impenetrable wall” around their digital assets that
will save them. The reality, however, is different.
No matter how great the wall is – sooner or later
hackers will find a weak spot in it and exploit it.
Technology is evolving all the time and your defense
has to keep up the pace. The right mindset if you
don’t want to be hacked – is to CONSTANTLY keep
testing your “wall”, find vulnerabilities and fix
them, before black hat hackers can exploit them.

Bug Bounty is a convenient and efficient way for

companies to continuously test security of their
digital assets.

Bitcoin

Intro
Blockchain is the most trusted and fastest growing crypto company, helping
millions across the globe have an easy and safe way to access
cryptocurrencies.

To date we have over 35 million wallet signups, 100 million cryptocurrency

and token transactions, and 25 thousand API users supporting 140 countries.

If you are new to our products, please review our Security Learning Portal
before submitting reports.

Rewards
We evaluate the severity of security issues based on their impact and
exploitability, based loosely on CVSS standards. Final decision on severity is
made at our sole discretion.

Below are monetary rewards for each severity level, denominated in US

dollars. Pluses indicate minimum amounts.

Critical (compromise of important infrastructure; vulnerabilities that result

in theft of cryptographic key material or user funds e.g. Wallet XSS, server
Command Injection): $2,000+
High: $750 (e.g. CSRF executing important action but less severe than loss
of funds)
Medium: $300+ (e.g. HTML injection in non-transactional section of
website: https://hackerone.com/reports/179426 )
 Low: $50 (e.g. Server version
disclosure https://hackerone.com/reports/179217 or low value information
disclosure https://hackerone.com/reports/179599 )
Response Targets
Blockchain will make a best effort to meet the following response targets for
hackers participating in our program:

 Time to first response (from report submit) - 5 business days

 Time to triage (from report submit) - 10 business days
 Time to bounty (from triage) - 10 business days
We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy
 As this is a private program, please do not discuss this program or any
vulnerabilities (even resolved ones) outside of the program without explicit
consent from us.
 Follow HackerOne's disclosure guidelines.
Program Rules
 Please provide detailed reports with reproducible steps. If the report is not
detailed enough to reproduce the issue, the issue will not be eligible for a
reward.

 Submit one vulnerability per report, unless you need to chain

vulnerabilities to maximize impact.

 When duplicates occur, we only award the first report that was received
(provided that it can be fully reproduced). Issues identified by our internal
security testing prior to your report count as duplicates.

 Multiple vulnerabilities caused by one underlying issue will be awarded one

bounty.

 Social engineering of our users, employees, partners, etc. (e.g. phishing,

vishing, smishing) is prohibited.

 Make a good faith effort to avoid privacy violations, destruction of data,

and interruption or degradation of our service. Only interact with accounts
you own or with the explicit permission of the account holder.

The scope approximately lists assets in scope for bounty testing including
wildcards, except where otherwise excepted. We exercise sole and final
discretion on which assets are in scope.

Out of Scope
 When reporting vulnerabilities, please consider (1) attack
scenario/exploitability, and (2) the security impact of the bug. The following
issues are considered out of scope:

 Open redirect at blockchain.com/r. unless you devise a way to bypass the

warning screen
 The same email address can be used to register multiple wallet accounts --
this is intentional.
 https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by
Blockchain and therefore are NOT in scope.
 Support for HTTP methods such as OPTIONS does not constitute a
vulnerability by itself; please ONLY submit findings related to this if you
identify specific vulnerabilities.
 Clickjacking on pages with no sensitive actions.
 Unauthenticated/logout/login CSRF.
 Attacks requiring MITM or physical access to a user's device.
 Previously known vulnerable libraries without a working Proof of Concept.
 Comma Separated Values (CSV) injection without demonstrating a
vulnerability.
 Missing best practices in SSL/TLS configuration.
 Any activity that could lead to the disruption of our service (DoS). DoS
software vulnerabilities may be reported, but must be tested in a fashion
as to not significantly impact service to users.
 Content spoofing and text injection issues without showing an attack
vector/without being able to modify HTML/CSS
 Phishing websites and malware lookalike applications (please report to
Support staff instead)
 https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (
ZeroBlock iOS application -- legacy support only)
 Physical security of our offices, employees, etc.
 Non-security-impacting UX issues
Web applications operated by third parties are only considered in scope
under the following ways:

 Aspects which we directly control such as our own DNS records for
subdomains that point to third party applications are in scope.
 Vulnerabilities in third-party applications must first be reported to the
vendor. We may optionally reward for these issues on top of the vendor
based on the outcome of that report.
The following assets represent third-party applications, along with their
vendors to report issues to:

 campaigns.blockchain.com (ActOn)
 email-clicks.blockchain.com (SendGrid)
 jamf.blockchain.com (Jamf)
 support.blockchain.com (ZenDesk)
 blog.blockchain.com (Ghost)
Guidelines for Crafting a Report
If our security team cannot reproduce and verify an issue, a bounty cannot
be awarded. To help streamline our intake process, we ask that submissions
include:

 Description of the vulnerability

 Steps to reproduce the reported vulnerability
 Proof of exploitability (e.g. screenshot, video)
 Perceived impact to another user or the organization
 Proposed CVSSv3 Vector & Score (without environmental and temporal
modifiers)
 List of URLs and affected parameters
 Other vulnerable URLs, additional payloads, Proof-of-Concept code
 Browser, OS and/or app version used during testing
All supporting evidence and other attachments must be stored only within
the report you submit. Do not host any files on external services.

Testing Tips
When spidering or testing our blockchain data, our site contains many URL
variations exposing the data with few variations that merit individual security
testing. This includes:

 Data for each transaction, block, address, etc.

e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefe
fef6694987f5f4af52086dbb32867dbb8954eb vs https://
www.blockchain.com/btc/block/
00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce
25
 Data presented in multiple human languages,
e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/
es/explorer
Our open source application source code can be found for review at GitHub.
Safe Harbor
Any activities conducted in a manner consistent with the law and our bounty
policy will be considered authorized conduct and we will not initiate legal
action against you. If legal action is initiated by a third party against you in
connection with activities conducted under this policy, we will take steps to
make it known that your actions were conducted in compliance with this
policy.

Thank you for helping keep Blockchain and our users safe!