BSCS DEX Tools - Bug Bounty Program
OVERVIEW
Dear Users, to ensure a secure and finest trading environment for users as it continues to expand, we are mobilizing the expertise of the community to maximize the security of BSCS DEX Tools.
We will launch the Bug Bounty Program from Oct 3 to Oct 16, 2023, to provide security experts with incentives for security advice and vulnerability analysis.
PROGRAM SCOPE
The program's scope is strictly limited to technical and logical vulnerabilities and issues in the company's services. We are currently offering a reward for finding vulnerabilities in services according to an asset table.
Bugs that are common to all of these domains are always accepted as one bug.
If multiple attack scenarios are caused by a single vulnerability, we will review report, but can decline it due to duplication.
What if I found vulnerability in BSCS services that is not within the scope?
If you find a vulnerability that does not concern one of the projects listed below, we will be glad to accept and investigate it, but only if it is related to BSCS. In this case, a reward is granted on a case-by-case basis for most critical vulnerabilities only.
BSCS employees, the employees in any of BSCS companies group can’t participate in the BSCS Bug Bounty Program.
REWARD
Rewards are divided into four tiers, depending on their severity. Each tier has different rewards.
Level of Severity and Reward Range:
Critical: 100 USDT
Vulnerabilities that undermine user assets’ security
Vulnerabilities that bypass the applications or procedures under normal trading logic
Vulnerabilities that could remotely access essential information and authentication information of users
Vulnerabilities related to key generation, encryption, decryption, signing, and verification
Major: 50 USDT
Vulnerabilities with a similar impact as Critical vulnerabilities but are dependent on specific prerequisites
Vulnerabilities that lead to high-risk information leakage
Medium: 25 USDT
Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud
Vulnerabilities that cause BSCS to be unable to respond to users’ requests from the web
Minor: 10 USDT
Vulnerabilities due to product design defects that do not affect the security of users’ assets.
Vulnerabilities that lead to Denial of Service of core BSCS services
If we accept your bug/vulnerability report, we will pay you the USDT as your rewards.
Please note that the threat level will be determined by BSCS security staff, and that BSCS has the sole discretion on deciding whether report meets the reward criteria.
IN-SCOPE VULNERABILITIES
We are mostly interested in the following vulnerabilities
Problems with business logic that may result in the loss of user assets.
Payment manipulation.
Remote code execution (RCE).
Leakage of sensitive information.
Critical Owasp issues such as XSS, CSRF, SQL, SSRF, IDOR, and others.
Other vulnerabilities that may result in potential loss.
OUT OF SCOPE VULNERABILITIES
We do not accept/review reports with/from*:
Reports from automatic security scanners without real impact
Attacks requiring physical access to a user's device
Any physical attacks against BSCS property or data centers
Password and account recovery policies, such as reset link expiration or password complexity
Invalid or missing SPF / DKIM records
Content spoofing/text injection
Issues related to software or protocols not under BSCS control
Reports based on product/protocol version without demonstration of real vulnerability presence
Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration or explanation of real security impact for user or system
Login/Logout CSRF
Using components with known vulnerabilities without an exploit or impact
Vulnerabilities of partner products or services if BSCS users/accounts are not affected directly
Open redirects (except cases with additional impact, e.g. token hijacking)
Client DOS (regexp/cookie/..)
Same site scripting and similar attacks with questionable impact
Any kind of self attacks (self-xss, self-takeover..)
Clickjacking
Reverse Tabnabbing without XSS
Any theoretical vulnerabilities and design principles without real provided impact
API key leaks with no security impact (e.g. Google Maps API key disclosure such as AIza*)
Customer’s username enumeration/bruteforce
Email verification skip, using legit functionality
Host header injection with no security consequences
Wordpress vulnerabilities without PoC
External service interaction / DNS Lookup to the domain in the Host header - it's standard behavior of Imperva WAF (former Incapsula)
Public 0-day/1-day vulnerabilities
Public 0-day/1-day vulnerabilities may be considered as Informative within a few days after vulnerability details or exploit publication, if the vulnerability is known to our team from public sources and we are working to mitigate or patch it.
HOW TO SUBMIT BUG REPORT?
A bug report must have the following:
Impact - it should describe the REAL impact of vulnerability that may affect our users and company funds or reputation
Highly detailed description of the discovered vulnerability
Steps to reproduce
A working proof-of-concept:
Exploit code
Video
Screenshots
Web/API requests and responses/traffic logs
Email address or user ID involved in PoC
IP address used during testing
CVSS if applicable
Send your report in this FORM
Note: We can close submission as Informative or N/A in cases where we cannot confirm the existence of reported issues (including financial reports).
In case of RCE, SQLi, LFI
Allowed Actions:
Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
Uploading a file that outputs the result of a hard-coded benign command
Please provide the following information:
Source IP address
Timestamp, including time zone
Full server request and responses
Filenames of any uploaded files, which must include “bugbounty” and the timestamp
Callback IP and port, if applicable
Any data that was accessed, either deliberately or inadvertently
Avoid any harmful actions and post-exploitation:
Uploading files that allow arbitrary commands (i.e. a webshell)
Modifying any files or data, including permissions
Deleting any files or data
Interrupting normal operations (e.g. triggering a reboot)
Creating and maintaining a persistent connection to the server
Intentionally viewing any files or data beyond what is needed to prove the vulnerability
Failing to disclose any actions taken or applicable required information
CVSS Score
When reporting a vulnerability, you can either choose a severity level based on your own judgment of the vulnerability, or you can use the CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score.
However, the final severity level will depend on business impact which is defined by BSCS.
PLEASE DO NOT EVER USE THESE TECHNIQUES WHEN CONDUCTING YOUR TESTS:
Physical tampering with BSCS data centers or offices
Social engineering directed at the company's employees
Breaking into the company's infrastructure and using the information obtained to report vulnerabilities
DoS on BSCS infrastructure
Brute Forcing or social engineering directed to our clients
RESPONSE TARGETS
Time to first response (from report submit) - 2 business day
Time to triage (from report submit) - 5 business days
Time to bounty (from triage) - 1 to 15 business days
HOW ARE BUG REPORTS EXAMINED?
Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.
Please remain patient after you submit the report and do not ask for bounties before we investigate the report and resolve bug described in it.
VULNERABILITY DISCLOSURE
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from BSCS.
No vulnerability disclosure, including partial, is allowed for the moment.
Please do NOT publish/discuss bugs
BE ETHICAL WHEN HACKING
Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.
About BSCS
BSCS - The fully decentralized protocol for launching new ideas. An all-in-one Incubation Hub with a full-stack Defi platform across all main blockchain networks. We provide exclusive services including IDO/INO Launchpad, Yield farming, NFT Auction, Marketplace, and BSCSwap
BSCS operates on top of the all main blockchain networks and is designed to offer maximum value to consumers and institutions.
BSCS platform uses the Sharing Economy Model for the purpose of profit-sharing, helping users to access DeFi platforms in the easiest, safest, and most cost-effective way. BSCS is the most convenient bridge to connect users and application products on all main blockchain networks