Table of Contents
Golden recently opened up our dApp to our customers to help facilitate improvements, analyze malicious behaviors, and ensure an easy-to-use solution for our customer experience. In an attempt to bring stronger transparency to our customers, we are opening up a security Bug Bounty to our web2, web3, and protocol. We will have increased payouts for validated findings until December 1, 2022.
Scope and Reporting
This is a black box test against our production environment. In order to have your vulnerability verified, you will need to send the report to firstname.lastname@example.org. Please make sure the subject is clear that this is a bug bounty request (e.g., Bug Bounty: XSS found in site). All findings MUST include:
- Repeatable, programmatic ways for the internal team to replicate and validate
- Vulnerability title, summary, and walkthrough
- All reports in English
Ensure that you adhere to Amazon’s Penetration Testing Policy.
Not in Scope
- Denial of Service (DoS/DDoS) style of attacks. If you believe you may have a DoS-related vulnerability then email email@example.com and we will work with internal testing or give you a specific time frame to test.
- Social Engineering style of attacks. This includes anything that would require another user to be coerced into navigating to or interacting with an “attack”. Examples include:
- Web Site Spoofing
- Link Manipulation. (e.g., changing an “l” to a “1” in a url to deceive a user)
- Brute force style attacks. This primarily focuses on gaining access to user’s accounts.
- Accessing another user’s data by any means. If you need to test an exploit that will interact with another user then set up a second user account for testing or reach out to firstname.lastname@example.org if you need specific testing requirements.