Welcome to the Bug Bounty Program at Blockscout! Ensuring the safety of our platform is a top priority, and we greatly appreciate the crucial role security researchers play in contributing to open source. Should you identify a possible security vulnerability within our platform, we invite you to join our bug bounty program and share your findings.

How to report a security vulnerability

Send us an email with the information below. We ask that you please keep your findings confidential during the reporting process. We will get back to you with our diagnosis or additional comments/questions as required. We may patch the vulnerability prior to our response to you, and will determine the risk level and possible payout on a case-by-case basis.
  1. Description of the bug/vulnerability Clearly describe the vulnerability you’ve discovered.
  2. **Steps to reproduce **Outline the steps needed to replicate the vulnerability.
  3. Impact analysis Assess the potential impact of the vulnerability on users, developers, and the organization.
  4. **Code fix (optional) **If possible and appropriate, you may include a suggested code fix for the vulnerability.
  5. Type of vulnerability Choose a label that best fits the category of the bug for classification purposes. This aids in rewards distribution and participation.
  6. Additional Context Provide any additional information that could help in understanding and resolving the issue.
  7. Email your report Email your report to security@blockscout.com
Information is also available on the SECURITY page of our Github Repo.

Rewards

If you are the first person to report the issue and we make a code or configuration change based on your findings, we will reward you with a bounty and mention (at your discretion) in our 🏛 Security Hall of Fame!

Risk Levels

  1. Critical Risk: $1000 to $4000 in crypto equivalent based on severity.
  2. High Risk: Up to $500 in crypto equivalent.
  3. Moderate Risk: Up to $250 in crypto equivalent.
  4. Low Risk: Up to $100 in crypto equivalent.
Security issue submission does not automatically qualify you for a bounty reward. Final determinations regarding risk severity, reward amounts, and payment schedules are made exclusively by the Blockscout team. For vulnerabilities found across multiple explorers, rewards are only issued for the first reported instance*. *Please review the general guidelines below for more information about our evaluation process.

Bounty Considerations

Vulnerabilities in the following areas are eligible for bounty consideration.
  • Business logic bugs or problems
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Sensitive information leaks
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

Out of Scope Items

Unless presenting a serious business risk (at our discretion), the following are typically not eligible for rewards:
  • Minor visual bugs, spelling errors, etc.
  • Social engineering tactics (e.g., phishing)
  • Issues in applications or systems not listed in the scope
  • UI/UX bugs, data entry errors, and typos
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Certificate/TLS/SSL issues
  • DNS configuration problems
  • Server configuration issues (open ports, TLS configurations, etc.)
  • Spam or social engineering techniques
  • Security flaws in third-party apps or services
  • Non-impactful XSS exploits
  • CSRF-XSS issues related to login/logout
  • Issues related to https/ssl or server-info disclosure
  • Mixed Content Scripts
  • Brute Force attacks
  • General best practices concerns
  • Recently disclosed 0day vulnerabilities
  • Username/email enumeration via error messages
  • Missing HTTP security headers
  • Weak password policies
  • HTML injection

🏛 Security Hall of Fame

Thank you for your help keeping vital public infrastructure like block explorers safe and secure!