Cellframe
Cellframe is an open-source framework for 3rd generation blockchain bridge, protected by post-quantum cryptography.
Managed by WhiteHub
Points - 10,000 USD
16 17
Updated by Cellframe 2 năm trước
USD
Updated by Cellframe 2 năm trước
Updated by Cellframe 2 năm trước
Updated by Cellframe 2 năm trước
## Qualifying vulnerabilities
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
+- Sensitive information leakage (e.g., private keys wallets, seeds, shielded transaction de-anonymization, etc), public keys are excluded from this scope
+- Transaction/certificate tampering (e.g., Changing the recipient address or amount)
+- Transaction/certificate replay without majority mining hashrate (e.g., double-spend)
+- Transaction/certificate withholding (e.g., censorship of transactions)
+- Coin supply inflation (e.g., minting more coins than intended by the emission schedule)
+- Bugs that cause the service to crash (e.g., Non-network-based DoS)
+- Remote code execution vulnerabilities (proof of concept required)
+- Attacks that result in harm to the quality of the blockchain or linked/neighbor nodes (e.g., attacks causing DoS score increase of honest behaving neighbours, etc)
+- Effective non-network-bandwidth-flooding DDoS attacks (e.g., transaction hammering, etc)
+- Bugs that cause bypassing of certificates’ acceptance validation rules
+- Bugs that cause the software to behave in a different way from the expected behaviour defined in the Cellframe whitepaper
-- Remote Code Execution
-- SQL Injection (SQLi)
-- Business Logic
-- Mobile-specific API vulnerabilities
-- Cross Site Scripting (XSS)
-- Cross-Site Request Forgery (CSRF)
-- Authentication-related issues
-- Authorization-related issues
-- Data Exposure
## Non-qualifying vulnerabilities
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:
-
-- URL redirection
-- Bugs requiring exceedingly unlikely user interaction
-- Logout cross-site request forgery
-- Flaws affecting the users of out-of-date browsers and plugins.
-- Presence of banner or version information
-- Email spoofing
-- DDoS
+- Mainnet use of software is out of scope
+- Any attack requiring the majority of the mining hashrate
+- Attacks requiring MITM or physical access to a user's device.
+- Previously known vulnerable libraries without a working Proof of Concept.
+- Missing best practices in SSL/TLS configuration.
+- Any activity that could lead to the disruption of our service (DoS).
+- Rate limiting or bruteforce issues on non-authentication / local endpoints (e.g., RPCs, websocket)
+- Missing best practices in Content Security Policy.
+- Missing HttpOnly or Secure flags on cookies
+- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.), email spoofing
+- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
+- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
+- Open redirect - unless an additional security impact can be demonstrated
+- Issues that require unlikely user interaction
Updated by Cellframe 2 năm trước