🎗 BSCStation Bug Bounty Program
🔥 The BSCStation Platform V2 has officially launched and we will host a Bug Bounty Program to enhance the community's experience via our users' feedback with valuable rewards for your contribution!
🤝 We also have awards for supportive contributors who give helpful suggestions to improve the BSCStation Platform.
⏰ Time: 10 AM October 21st - 10 AM October 31st (UTC)
🎁 Reward: 10,000 BUSD
✨ Critical bug: 200 BUSD/ each
✨ Normal bug: 100 BUSD/ each
💖 The Supportive: 10 BUSD/ each
⚙️ If you find any bugs while accessing the BSCStation Platform, please submit a detailed report via this LINK.
‼️ Immediately email support@bscstation.org if it is a critical bug.
🔗 The BSCStation Quality Assurance team will perform a check to determine whether the bug is a critical bug or a normal bug and calculate the reward.
🌟 BSCStation will contact the contributor to send the reward via the submitted email.
📕 Detail of the BSCStation Bug Bounty Programs
BSCStation Bug Bounty Program Rules
Please disclose vulnerabilities privately via this LINK or through our email: support@bscstation.org.
Public disclosure of a vulnerability would make it ineligible for a reward.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with the explicit permission of the account holder.
Avoid using web application scanners for automatic vulnerability searching, which generates massive traffic.
Don’t access or modify other user data; localize all tests to your accounts.
Perform testing only within the scope
Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
Don’t spam forms or account creation flows using automated scanners
Don’t break any law and stay within the defined scope.
Please note that only vulnerabilities with a working proof of concept that shows how they can be exploited will be considered eligible for monetary rewards.
Any details of found vulnerabilities must not be communicated to anyone who is not an authorized employee of BSCStation without appropriate permission.
Terms and conditions of the bug bounty process may vary over time.
Requirements
We require that researchers:
Do not access customer or employee personal information, pre-release BSCStation content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
Do not degrade the BSCStation user experience, disrupt production systems, or destroy data during security testing.
Perform research only within the scope.
Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.
When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
Securely delete BSCStation information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
If you fulfill these requirements, BSCStation will:
Work with you to understand and attempt to resolve the issue quickly
Pay you for your research for unique vulnerabilities that meet the guidelines listed if you are the first to report the issue to us.
To encourage responsible disclosure, BSCStation will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
If you have any questions regarding the BSCStation Bug Bounty Program, please reach out to support@bscstation.org
IN-SCOPE VULNERABILITIES
We are interested in the following vulnerabilities:
Unauthorized remote code execution
Domain takeover
Injection attacks
Leaked secrets or sensitive information
Denial of service - application level
Account takeover
Access control flaws
Application layer denial-of-service
Other vulnerability with a clear potential loss
OUT-OF-SCOPE VULNERABILITIES
Vulnerabilities found in out-of-scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
Vulnerabilities in third-party applications
Unexploitable theoretical or best practices concerns
Recently (less than 30 days) disclosed 0day vulnerabilities
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering, spam, phishing, physical, or other fraud activities
Most brute-forcing issues without clear impact
Network DoS/DDoS issues
Non-sensitive Information Disclosure
Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
Self-XSS that cannot be used to exploit other users
Missing cookie flags on non-sensitive cookies
CSRF on unauthenticated endpoints
OPTIONS/TRACE HTTP method enabled
Host header issues without proof-of-concept demonstrating the vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Any attacks requiring physical access to a user's device
CSP issues unless exploitable with POC
Disclosure Guidelines
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from BSCStation.
No vulnerability disclosure, including partial, is allowed for the moment.
Please do NOT publish/discuss bugs
Eligibility and Coordinated Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security and enhance the community’s experience on the BSCStation Platform. However, only those that meet the following eligibility requirements may receive a monetary reward:
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through support@bscstation.org.
You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots/videos or proof of concept code as necessary.
You must not be a former or current employee of BSCStation or one of our contractors.
Provide detailed but to-the-point reproduction steps
We strive to maintain a healthy relationship with the security research community and base our report evaluation on industry norms and logical reasoning. However, in case of any disputes, our decision is final.
About BSCStation
BSCStation - The fully decentralized protocol for launching new ideas. An all-in-one Incubation Hub with a full-stack Defi platform across all main blockchain networks. We provide exclusive services including IDO/INO Launchpad, Yield farming, NFT Auction, Marketplace, and BSCSwap
BSCStation operates on top of all the main blockchain networks and is designed to offer maximum value to consumers and institutions.
BSCStation platform uses the Sharing Economy Model for the purpose of profit-sharing, helping users to access DeFi platforms in the easiest, safest, and most cost-effective way. BSCStation is the most convenient bridge to connect users and application products on all main blockchain networks.
I'm so happy to join this great project