// Bug Bounty
Bug Bounty Program
Out of Scope Issues
The following issues won’t be considered for a bounty.
- Rate limit issue
- Open Redirection (we will approve for critical case, ex: steal other user’s token)
- DoS or resource exhaustion
- Client-side issues that do not effect the latest version of common browsers (Chrome, Firefox).
- HTML injection without ability to execute malicious script.
- Self XSS, CSRF, CORS without affecting other users
- Clickjacking.
- SPF, DKIM and DMARC issues.
- Social Engineering
Severity and Reward
Reward amounts are vary depend on the severity of the vulnerability and it’s impact to Indiya Coin. We use the the international standard for risk calculations that is OWASP Risk Rating Methodology.
Only medium, high and critical will get reward.
How to Participate
- Send email to: security@indiyacoin.com
- Subject: [BUG] {bug title}
Rules
- Be the first one to report a specific vulnerability. Duplicate report is not eligible for bounty reward.
- Include details and verifiable proof of concept (e.g. screenshot, video, script). If our team cannot reproduce or verify the issue, then bounty cannot be awarded.
- Reporter is eligible for bounty after Indiya Coin team decide to fix the bug.
- Reporter of vulnerability is prohibited to disclose the bug to public before Indiya Coin team fixed the bug.
- Reporter of vulnerability is required to use their own account when performing testing or producing vulnerability.
- DO NOT attempt to view or tamper any data belonging to others.
- Reporter of vulnerability is prohibited to disturb, change, add, or delete any data or configure Indiya Coin systems, targeting other users, or compromising the reputation of Indiya Coin.
- DO NOT perform DDoS or DoS attack to Indiya Coin System.
- By sending a bug report to Indiya Coin, reporter of vulnerability agrees to give Indiya Coin the full rights to keep using that bug report for internal purposes without paying any royalty, license, or intellectual property rights.
- By participating in this program, you have agreed to comply with all applicable local and international laws.
What we consider?
Likelihood Factors | Impact Factors |
Skill Level | Loss of confidentiality |
Motive | Loss of Integrity |
Opportunity | Loss of Availability |
Size | Loss of Accountability |
Ease of Discovery | Financial Damage |
Awareness | Non-compliance |
Ease of Exploit | Reputation Damage |
Intrusion Detection | Privacy Violation |
Reward
Name | Reward Point | Reward INC |
Low | 1 | 0 |
Medium | 3 | 500,0 – 1,000,0 |
High | 6 | 2,000,0 – 4,000,0 |
Critical | 10 | 6,000,0 – 10,000,0 |
Reward will be transferred using INC.
Please make sure you have erc20 / binance chain based wallet.
