Comment on page
Bug Bounty Program
1. Guidelines
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
- Use the identified communication channels to report vulnerability information to us
- Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Etherscan until we’ve resolve the issue.
- Provide us with at least 7 working days to investigate the issue and revert back to you
- Recognize your contribution on mapnode.io (list below for the last 50 contributors)
- Reward you with a bounty (up to a maximum of $2500 paid out per month): - $1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk * - $500 in crypto equivalent if you identified a vulnerability that presented a high risk * - $250 in crypto equivalent if you identified a vulnerability that presented a moderate risk * - $0 in crypto equivalent if you identified a vulnerability that presented a low risk * - Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless Researcher will provide us with an bsc bep20 address for the payout within 7 days after we have resolved the issue. * vulnerability level will be determined at our discretion ** in the event the vulnerabilty exists in multiple explorers, only the first explorer is entitled to the rewards
WebSite: https://mapnode.io
We are interested in the following vulnerabilities:
• Business logic issues
• Remote code execution (RCE)
• Database vulnerability, SQLi
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Other vulnerability with a clear potential loss
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold
• Visual typos, spelling mistakes, etc
• Findings derived primarily from social engineering (e.g. phishing, etc)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Certificates/TLS/SSL related issues
• DNS issues (i.e. MX records, SPF records, etc.)
• Server configuration issues (i.e., open ports, TLS, etc.)
• Spam or Social Engineering techniques
• Security bugs in third-party applications or services
• XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
• Login/Logout CSRF-XSS
• https/ssl or server-info disclosure related issues
• https Mixed Content Scripts
• Brute Force attacks
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Username/email enumeration via Login/Forgot Password Page error messages
• Missing HTTP security headers
• Weak password policy
5. How to Report a Security Vulnerability
• Description of the location and potential impact of the vulnerability
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
• Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc)
• Email us at [email protected]
Last modified 1yr ago