The ViaBTC Security Bounty aims to provide global users with a secure, stable, and efficient Mining platform. This program is divided into three levels from L1 to L3 according to the threat degree of potential vulnerabilities, with up to 10,000 USDT as a reward to encourage more users and white hat hackers to discover and report security vulnerabilities. The domain name is www.viabtc.com
1. ViaBTC attaches great importance to the safety of its products and business. ViaBTC promises that each reported problem will be followed up, analyzed, dealt with, and responded timely.
2. ViaBTC may need the help of the reporter when following up on the problem and may require the reporter to reproduce the problem to ensure effective follow-up.
3. ViaBTC highlights the responsible vulnerability disclosure and handling process, and promises to give rewards and thanks to every user who adheres to the spirit of the white hat hacker, protects users’ interests, and helps ViaBTC improve the security quality.
4. ViaBTC opposes and condemns all hacking activities that use vulnerability testing as an excuse to damage and harm users’ interests, including but not limited to exploiting vulnerabilities to steal users’ privacy and virtual property, invading business systems, stealing user data, and maliciously spreading vulnerabilities.
5. ViaBTC opposes and condemns all acts of using security vulnerabilities to intimidate users and attack competitors.
6. ViaBTC retains the right to the final interpretation of the security bounty program.
Rewards and Rating standards
Definition: Vulnerabilities of this level have limited hazards or potential security hazards.
1. Misuse of the verification code interface, high-frequency verification codes, and password collision, etc.
2. Less harmful vulnerabilities such as CSRF attacks with insensitive operations, and SPF mail forgery.
3. Vulnerabilities that affect the availability and stability of the system, causing a response failure of the system.
Definition: Vulnerabilities of this level endanger sensitive information or asset security and can cause a certain range of impacts or certain asset losses.
1. Vulnerabilities such as XSS and CSRF attacks that affect some users, cause the leakage of users’ sensitive information or perform sensitive operations beyond their authority.
2. Use the vulnerabilities in the verification logic, password resetting, and other functions to obtain access to user accounts.
3. Vulnerabilities caused by product design defects affect data and asset security.
Definition: Vulnerabilities of this level can lead to serious asset loss or leakage of sensitive information in batches.
1. Vulnerabilities that damage the asset security of users or platforms, like wallet private key leakage, deposit vulnerabilities, etc.
2. Unauthorized access to the system to obtain system permissions, like SQL injection, remote code execution, and other high-risk vulnerabilities, etc.
3. Unauthorized access to sensitive information with immense reach, such as unauthorized access to user accounts, illegal access to sensitive data in the background of the system, etc.
Security Bounty Program Process
1. Submit a report
The reporter can send the report to firstname.lastname@example.org, or submit the report by submitting a request.
Note: The report should be as detailed as possible, including text, URL, screenshots, etc. If necessary, attach a file.
2. Vulnerability investigation and evaluation
(1) Within three working days, ViaBTC staff will confirm the received report and follow up to evaluate the problem.
(2) Within seven working days, ViaBTC staff will give a conclusion and rating, communicate and confirm with the reporter if necessary, and ask for the reporter's assistance.
3. Fix the reported issue
(1) Our technical department will fix the reported security issue and schedule an update. The repair time depends on the severity of the issue and technical difficulties. For security issues in the client, the repair time depends on the situation since it's affected by the release schedule.
(2) The researcher can review whether the security problem is fixed.
4. Final stage
After the repair is completed, ViaBTC will distribute the bounty rewards to the security researcher according to the “Reward and Evaluation Criteria”.
Q: Will ViaBTC disclose the information related to the vulnerability report?
A: In order to protect users’ interests and privacy, the report-related information will not be made public.
Q: Is the ViaBTC Security Bounty Program a disguise for using rewards to conceal security issues?
A: No. First of all, ViaBTC believes that related information should not be disclosed to protect users’ interests and privacy, which is also a common practice in the industry. Secondly, the rewards from ViaBTC are to express gratitude and respect to the reporters, instead of concealing security issues.
Q: Will ViaBTC “ignore” the vulnerability and then secretly fix it?
A: Absolutely not. If a vulnerability report is “ignored”, our staff will explain the reason in the report feedback. Usually, this happens because the "vulnerability" is not considered a vulnerability but evaluated as a BUG. ViaBTC will not “secretly fix the vulnerability” in any case.