- Scope, Policy and Reward
- www.maicoin.com (https://www.maicoin.com/)
- max.maicoin.com (https://max.maicoin.com/)
- api.maicoin.com (https://api.maicoin.com/)
- max-api.maicoin.com (https://max-api.maicoin.com/)
- Android: com.maicoin.maicoin (https://play.google.com/store/apps/details?id=com.maicoin.maicoin)
- Android: com.maicoin.max (https://play.google.com/store/apps/details?id=com.maicoin.max)
- iOS: MaiCoin https://itunes.apple.com/tw/app/id1439583926
- iOS: Max https://itunes.apple.com/tw/app/id1370837255
- Please provide MaiCoin detailed reports with reproducible steps.
- Provide MaiCoin a reasonable amount of time to resolve the issue.
- Please do not disclose any vulnerabilities, any information you reported to MaiCoin, and any feedback from MaiCoin regarding the vulnerabilities to any third party without the prior written consent of MaiCoin even if the vulnerabilities have been resolved.
- Do not attempt to view, modify, or damage data belonging to others.
- MaiCoin is entitled to terminate the program or revise the clauses of this program unilaterally in any time.
In the same time, you are eligible for monetary rewards only if you have met all the following conditions:
- The reporter must be the first person to report the issue to us. We will review the duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
- The vulnerability you reported is confirmed to be verifiable, reproducible, exploitable, and included in the scope.
- The reporter have complied with the program terms and regulations.
- The reporter have to report the issue before the program is terminated.
Additionally, all vulnerabilities that require or are related to the following are out of scope:
- Social engineering(e.g. phishing).
- Physical security.
- Non-security-impacting UX issues.
- Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR.
- Missing best practices in SSL/TLS configuration.
- Self-XSS and issues exploitable only through Self-XSS.
- Clickjacking on pages with no sensitive actions.
- Related to tab-jacking, tab-nabbing, and text injection.
- Related to DNS over HTTPS, DNSSEC, and DNS CAA record.
- Attacks requiring MITM, physical access or privileged access(e.g. root a phone) to a user's device.
- Any activity that could lead to the denial/degradation of service (DoS).
- Enforcement policies for brute force or account lockout.
- Missing security headers.
- Unauthenticated/logout/login CSRF.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Unconfirmed reports from automated vulnerability scanners.
- Disclosure of server or software version numbers.
- Disclosure of known public files and other information disclosures that are not a risk (e.g. robots.txt).
- Disclosure of information with minimal security impact (e.g. stack traces, path or directory listing, logs).
- Theoretical sub-domain takeovers with no supporting evidence.
- Vulnerabilities or weaknesses in third party applications that integrate with MaiCoin.
- Issues only present in end-of-life software.
- Ability to abuse existing banking functionality.
- Exposure of the IP address or domains.
- Spamming or Un-limiting Email rate.
Participants shall not perform:
- Any act that violates the rights of others or the law.
- Spamming MaiCoin users arbitrarily with spam messages.
- Viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability.
- Viewing, deletion, modification or disclosure of source code using the discovered vulnerability.
- Any act other than those listed above that is contrary to the spirit and purpose of the program.
MaiCoin will make a best effort to adhere to the following response targets:
|Type of response||Business day|
|First response||3 days|
|Time to triage||7 days|
|Time to bounty||30 days|
Inquiries regarding the program:
All inquiries regarding the program are to be submitted to the email@example.com. Inquiries sent by any other method will not receive a response.
Vulnerability investigation and reporting:
Please contact us at firstname.lastname@example.org if you have found a vulnerability, and use PGP encryption offered by MaiCoin when sending bug reports to us. MaiCoin Security Team will respond to your report within three work days, and will soon release the vulnerability fix according to its severity.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Reward will paid out in USDT or in the equivalent amount of TWD. Once your submission is accepted, please provide either of the following to receive your reward.
- Your USDT wallet address
- Your TWD account number
Types of impacts that MaiCoin would consider to be critical include:
- Read /write sensitive data in a system.
- SQL injection
- Remote arbitrary code execution
- Vertical authentication/authorization bypass
- Exfiltrate digital or fiat currency
- And other critical-severity issues
Types of impacts that MaiCoin would consider to be high include:
- Server-side request forgery to an internal service
- Stored/Reflected XSS in the core service
- Lateral authentication/authorization bypass
- And other high-severity issues
Types of impacts that MaiCoin would consider to be medium include:
- Cross-site request forgery
- Server-side request forgery
- Sensitive information/data disclosure
- Server misconfiguration or provisioning errors with the immediate risks
- Arbitrary file upload with the immediate risks
- And other medium-severity issues
Types of impacts that MaiCoin would consider to be low include:
- Server misconfiguration or provisioning errors
- Found demo/example configuration
- General information disclosure
- And other low-severity issues