Bug Bounty Program

1. Guidelines

We ask that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing

  • Use the identified communication channels to report vulnerability information to us

  • Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Etherscan until we’ve resolve the issue.

  • Provide us with at least 7 working days to investigate the issue and revert back to you

2. If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:

  • Recognize your contribution on hebeto.com (list below for the last 50 contributors)

  • Reward you with a bounty (up to a maximum of $2500 paid out per month): - $1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk * - $500 in crypto equivalent if you identified a vulnerability that presented a high risk * - $250 in crypto equivalent if you identified a vulnerability that presented a moderate risk * - $0 in crypto equivalent if you identified a vulnerability that presented a low risk * - Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless Researcher will provide us with an bsc bep20 address for the payout within 7 days after we have resolved the issue. * vulnerability level will be determined at our discretion ** in the event the vulnerabilty exists in multiple explorers, only the first explorer is entitled to the rewards

3. Scope

WebSite: hebeto.com We are interested in the following vulnerabilities: • Business logic issues • Remote code execution (RCE) • Database vulnerability, SQLi • File inclusions (Local & Remote) • Access Control Issues (IDOR, Privilege Escalation, etc) • Leakage of sensitive information • Server-Side Request Forgery (SSRF) • Other vulnerability with a clear potential loss

4. Out of scope

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold • Visual typos, spelling mistakes, etc • Findings derived primarily from social engineering (e.g. phishing, etc) • Findings from applications or systems not listed in the ‘Scope’ section • UI/UX bugs, Data entry errors, spelling mistakes, typos, etc • Network level Denial of Service (DoS/DDoS) vulnerabilities • Certificates/TLS/SSL related issues • DNS issues (i.e. MX records, SPF records, etc.) • Server configuration issues (i.e., open ports, TLS, etc.) • Spam or Social Engineering techniques • Security bugs in third-party applications or services • XSS Exploits that do not pose a security risk to 'other' users (Self-XSS) • Login/Logout CSRF-XSS • https/ssl or server-info disclosure related issues • https Mixed Content Scripts • Brute Force attacks • Best practices concerns • Recently (less than 30 days) disclosed 0day vulnerabilities • Username/email enumeration via Login/Forgot Password Page error messages • Missing HTTP security headers • Weak password policy

5. How to Report a Security Vulnerability

• Description of the location and potential impact of the vulnerability • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us) • Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc) • Email us at support@hebeto.com

Last updated