Cellframe

• This program will stop receiving reports from now

• Currency was changed to USD

• Description was changed

• Description was changed

• Description was changed

 
 ## Qualifying vulnerabilities
 Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
+- Sensitive information leakage (e.g., private keys wallets, seeds, shielded transaction de-anonymization, etc), public keys are excluded from this scope

+- Transaction/certificate tampering (e.g., Changing the recipient address or amount)

+- Transaction/certificate replay without majority mining hashrate (e.g., double-spend)

+- Transaction/certificate withholding (e.g., censorship of transactions)

+- Coin supply inflation (e.g., minting more coins than intended by the emission schedule)

+- Bugs that cause the service to crash (e.g., Non-network-based DoS)

+- Remote code execution vulnerabilities (proof of concept required)

+- Attacks that result in harm to the quality of the blockchain or linked/neighbor nodes (e.g., attacks causing DoS score increase of honest behaving neighbours, etc)

+- Effective non-network-bandwidth-flooding DDoS attacks (e.g., transaction hammering, etc)

+- Bugs that cause bypassing of certificates’ acceptance validation rules

+- Bugs that cause the software to behave in a different way from the expected behaviour defined in the Cellframe whitepaper

 
-- Remote Code Execution

-- SQL Injection (SQLi)

-- Business Logic

-- Mobile-specific API vulnerabilities

-- Cross Site Scripting (XSS)

-- Cross-Site Request Forgery (CSRF)

-- Authentication-related issues

-- Authorization-related issues

-- Data Exposure

 
 ## Non-qualifying vulnerabilities
 Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:
-

-- URL redirection

-- Bugs requiring exceedingly unlikely user interaction

-- Logout cross-site request forgery 

-- Flaws affecting the users of out-of-date browsers and plugins.

-- Presence of banner or version information

-- Email spoofing

-- DDoS
+- Mainnet use of software is out of scope

+- Any attack requiring the majority of the mining hashrate

+- Attacks requiring MITM or physical access to a user's device.

+- Previously known vulnerable libraries without a working Proof of Concept.

+- Missing best practices in SSL/TLS configuration.

+- Any activity that could lead to the disruption of our service (DoS).

+- Rate limiting or bruteforce issues on non-authentication / local endpoints (e.g., RPCs, websocket)

+- Missing best practices in Content Security Policy.

+- Missing HttpOnly or Secure flags on cookies

+- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.), email spoofing

+- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

+- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

+- Open redirect - unless an additional security impact can be demonstrated

+- Issues that require unlikely user interaction