# Bug Bounty Program

**1. Guidelines**

#### *We ask that all researchers*:

* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
* Use the identified communication channels to report vulnerability information to us
* Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Etherscan until we’ve resolve the issue. 
* Provide us with at least 7 working days to investigate the issue and revert back to you

#### **2. If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:**

* Recognize your contribution on mapnode.io (list below for the last 50 contributors)
* Reward you with a bounty (up to a maximum of $2500 paid out per month):\
  \- $1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk \*\
  \- $500 in crypto equivalent if you identified a vulnerability that presented a high risk \*\
  \- $250 in crypto equivalent if you identified a vulnerability that presented a moderate risk \*\
  \- $0 in crypto equivalent if you identified a vulnerability that presented a low risk \*\
  \- Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless\
  \
  \&#xNAN;*Researcher will provide us with an bsc bep20 address for the payout within 7 days after we have resolved the issue.*\
  \&#xNAN;*\* vulnerability level will be determined at our discretion*\
  \&#xNAN;*\*\* in the event the vulnerabilty exists in multiple explorers, only the first explorer is entitled to the rewards*

#### **3. Scope**

WebSite: [https://mapnode.io](https://mapnode.io/)\
We are interested in the following vulnerabilities:\
• Business logic issues\
• Remote code execution (RCE)\
• Database vulnerability, SQLi\
• File inclusions (Local & Remote)\
• Access Control Issues (IDOR, Privilege Escalation, etc)\
• Leakage of sensitive information\
• Server-Side Request Forgery (SSRF)\
• Other vulnerability with a clear potential loss

#### **4. Out of scope**

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold\
\
• Visual typos, spelling mistakes, etc\
• Findings derived primarily from social engineering (e.g. phishing, etc)\
• Findings from applications or systems not listed in the ‘Scope’ section\
• UI/UX bugs, Data entry errors, spelling mistakes, typos, etc\
• Network level Denial of Service (DoS/DDoS) vulnerabilities\
• Certificates/TLS/SSL related issues\
• DNS issues (i.e. MX records, SPF records, etc.)\
• Server configuration issues (i.e., open ports, TLS, etc.)\
• Spam or Social Engineering techniques\
• Security bugs in third-party applications or services\
• XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)\
• Login/Logout CSRF-XSS\
• https/ssl or server-info disclosure related issues\
• https Mixed Content Scripts\
• Brute Force attacks\
• Best practices concerns\
• Recently (less than 30 days) disclosed 0day vulnerabilities\
• Username/email enumeration via Login/Forgot Password Page error messages\
• Missing HTTP security headers\
• Weak password policy<br>

**5. How to Report a Security Vulnerability**

• Description of the location and potential impact of the vulnerability\
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)\
• Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc)\
• Email us at **<support@mapnode.io>**