-
Guidelines
We ask that all researchers:
- Make every effort to avoid privacy violations, degradation of user
experience, disruption to production systems, and destruction of data
during security testing
- Use the identified communication channels to report vulnerability
information to us
- Report vulnerabilities as soon as you discover it, but keep it
confidential between yourself and Qtova until we’ve resolve the
issue
- Provide us with at least 7 working days to investigate the issue and
revert back to you
-
If you are the first to report the issue, and we make a code or
configuration change based on the issue, we commit to:
-
Recognize your contribution on Qtova.io (list below for the last 50
contributors)
-
Reward you with a bounty (up to a maximum of $2500 paid out per month):
-
$1000-$3000 in crypto equivalent if you identified a
vulnerability that presented a critical risk *
-
$500 in crypto equivalent if you identified a vulnerability that
presented a high risk *
-
$250 in crypto equivalent if you identified a vulnerability that
presented a moderate risk *
-
$0 in crypto equivalent if you identified a vulnerability that
presented a low risk *
-
Entry in Hall of Fame Only, If there was in fact no or low risk
vulnerability, but we still made a code or configuration change
nonetheless
Researcher will provide us with a wallet address based on the reported explorer
for
the payout within 7
days after we have resolved the issue.
* vulnerability level will be determined at our discretion
** in the event the vulnerabilty exists in multiple explorers, only the reported
explorer is entitled to the rewards
-
Scope
Qtova (Qtova.io) and explorers under EaaS (https://Qtova.io/eaas)
We are interested in the following vulnerabilities:
-
Business logic issues
-
Remote code execution (RCE)
-
Database vulnerability, SQLi
-
File inclusions (Local & Remote)
-
Access Control Issues (IDOR, Privilege Escalation, etc)
-
Leakage of sensitive information
-
Server-Side Request Forgery (SSRF)
-
Other vulnerability with a clear potential loss
-
Out of scope
Vulnerabilities found in out of scope resources are unlikely to be rewarded
unless they present a serious business risk (at our sole discretion). In
general, the following vulnerabilities do not correspond to the severity
threshold
-
Visual typos, spelling mistakes, etc
-
Findings derived primarily from social engineering (e.g. phishing, etc)
-
Findings from applications or systems not listed in the ‘Scope’ section
-
UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
-
Network level Denial of Service (DoS/DDoS) vulnerabilities
-
Certificates/TLS/SSL related issues
-
DNS issues (i.e. MX records, SPF records, etc.)
-
Server configuration issues (i.e., open ports, TLS, etc.)
-
Spam or Social Engineering techniques
-
Security bugs in third-party applications or services
-
XSS Exploits that do not pose a security risk to 'other' users
(Self-XSS)
-
Login/Logout CSRF-XSS
-
https/ssl or server-info disclosure related issues
-
https Mixed Content Scripts
-
Brute Force attacks
-
Best practices concerns
-
Recently (less than 30 days) disclosed 0day vulnerabilities
-
Username/email enumeration via Login/Forgot Password Page error messages
-
Missing HTTP security headers
-
Weak password policy
-
HTML injection
-
How to Report a Security Vulnerability
-
Description of the location and potential impact of the vulnerability
-
A detailed description of the steps required to reproduce the
vulnerability (POC scripts, screenshots, and compressed screen captures
are all helpful to us)
-
Your name/handle and a link for recognition in our Hall of
Fame (twitter, reddit, facebook, hackerone, etc)
-
List down the affected explorer(s)
-
Email us at [Bug
Bounty Report]
HALL OF FAME
Special thanks to the following researchers for helping us make Qtova and other
explorers
a better
place