We belive that working with skilled security researchers is fundamental to identify weaknessess in any technology. If you belive to have found a vulnerability in one of our products please reach out and we ensure you will be rewarded for you discovery.
Once a vulnerability is reported, AppCoins team will rate the security issue considering the OWASP model. A vulnerability will be classified as the product of impact of the exploit and likelihood of it being used.
Impact x Likelihood = Risk Severity
| Overall Risk Severity | ||||
|---|---|---|---|---|
| Impact | HIGH | Medium | High | Critical |
| MEDIUM | Low | Medium | High | |
| LOW | Note | Low | Medium | |
| LOW | MEDIUM | HIGH | ||
| Likelihood | ||||
Our minimum reward is 30 Euros
Considering the risk assigned by the AppCoins team, the possible rewards are defined as following:
| Qualification | Score CVSS | Bounty |
|---|---|---|
| None | N/A | No Bounty |
| Low | 0.1 - 3.9 | <= 50€ |
| Medium | 4.0 - 6.9 | <= 100€ |
| High | 7.0 - 8.9 | <= 300€ |
| Critical | 9.0 - 10.0 | <= 500 € |
We thank everyone submitting valid reports. In order for a report to be eligible for a monetary rewards, the following conditions need to be respected:
- You must be the first reporter of a vulnerabiliby
- Any vulnerability found must be reported no later than 24 hours after discovery throught email or bug bounty platform.
- You must send clear description of the report along with steps to reproduce the issue, proof of concept code may be required.
- You must refrain from exploiting a vulnerability which may lead to service interruption on Ethereum main network, please use ropsten network for testing.
- You must not leak, manipulate or destroy user data on Ethereum main network contracts.
- You must not try to exploit the bug and access contract data for further vulnerabilities.
- You must not disclose any of the vulnerability information publicly before our team evaluates the vulnerability and acts acordingly.
Reports are reviewed within 5 working days (we'll try to respond sooner is possible). We will prioritize vulnerability fixes based on the risk severity, thus it is mandatory to contact us before any public vulnerability disclosure.
This bug bounty is valid for every smart contract maintained by AppCoins Protocol Team. The only smart contracts out of the scope of this bugbounty is the AppCoins token contract (ERC-20 token contract).
- Denial of service attacks against Ethereum network are strictly out of scope of this program
- AppCoins token contract (ERC-20 token contract) is out of scope of this program
- Any vulnerability related to AppCoins Credits Balance smart contract (https://github.com/AppStoreFoundation/asf-contracts/blob/dev/contracts/AppCoinsCreditsBalance.sol)
- Any vulnerability against AppStore Foundation servers
- Any hypothetical flaw or best practices without exploitable POC
- Any physical attempts against AppStore Foundation (ASF) or Aptoide offices or data centers
- Vulnerabilities found on front-end services, AppStore Foundation and AppCoins websites
- Vulnerabilities found on ASF wallet or ASF SDK
- Vulnerabilities found on ASF Unity plugin
- Vulnerabilities related to Solidity compiler or language design
Authorized Conduct
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep App Store Foundation and our users safe!