Bug Bounty Program

MaiCoin

Modified on: Sat, 9 Jan, 2021 at 11:25 AM

Scope, Policy and Reward

Scope

www.maicoin.com (https://www.maicoin.com/)
max.maicoin.com (https://max.maicoin.com/)
api.maicoin.com (https://api.maicoin.com/)
max-api.maicoin.com (https://max-api.maicoin.com/)
Android: com.maicoin.maicoin (https://play.google.com/store/apps/details?id=com.maicoin.maicoin)
Android: com.maicoin.max (https://play.google.com/store/apps/details?id=com.maicoin.max)
iOS: MaiCoin https://itunes.apple.com/tw/app/id1439583926
iOS: Max https://itunes.apple.com/tw/app/id1370837255

Policy

Please provide MaiCoin detailed reports with reproducible steps.
Provide MaiCoin a reasonable amount of time to resolve the issue.
Please do not disclose any vulnerabilities, any information you reported to MaiCoin, and any feedback from MaiCoin regarding the vulnerabilities to any third party without the prior written consent of MaiCoin even if the vulnerabilities have been resolved.
Do not attempt to view, modify, or damage data belonging to others.
MaiCoin is entitled to terminate the program or revise the clauses of this program unilaterally in any time.

In the same time, you are eligible for monetary rewards only if you have met all the following conditions:

The reporter must be the first person to report the issue to us. We will review the duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
The vulnerability you reported is confirmed to be verifiable, reproducible, exploitable, and included in the scope.
The reporter have complied with the program terms and regulations.
The reporter have to report the issue before the program is terminated.

Additionally, all vulnerabilities that require or are related to the following are out of scope:

Social engineering(e.g. phishing).
Physical security.
Non-security-impacting UX issues.
Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR.
Missing best practices in SSL/TLS configuration.
Self-XSS and issues exploitable only through Self-XSS.
Clickjacking on pages with no sensitive actions.
Related to tab-jacking, tab-nabbing, and text injection.
Related to DNS over HTTPS, DNSSEC, and DNS CAA record.
Attacks requiring MITM, physical access or privileged access(e.g. root a phone) to a user's device.
Any activity that could lead to the denial/degradation of service (DoS).
Enforcement policies for brute force or account lockout.
Missing security headers.
Unauthenticated/logout/login CSRF.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Unconfirmed reports from automated vulnerability scanners.
Disclosure of server or software version numbers.
Disclosure of known public files and other information disclosures that are not a risk (e.g. robots.txt).
Disclosure of information with minimal security impact (e.g. stack traces, path or directory listing, logs).
Theoretical sub-domain takeovers with no supporting evidence.
Vulnerabilities or weaknesses in third party applications that integrate with MaiCoin.
Issues only present in end-of-life software.
Ability to abuse existing banking functionality.
Exposure of the IP address or domains.
Spamming or Un-limiting Email rate.

Participants shall not perform:

Any act that violates the rights of others or the law.
Spamming MaiCoin users arbitrarily with spam messages.
Viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability.
Viewing, deletion, modification or disclosure of source code using the discovered vulnerability.
Any act other than those listed above that is contrary to the spirit and purpose of the program.

MaiCoin will make a best effort to adhere to the following response targets:

Type of response	Business day
First response	3 days
Time to triage	7 days
Time to bounty	30 days

Inquiries regarding the program:

All inquiries regarding the program are to be submitted to the bounty@maicoin.com. Inquiries sent by any other method will not receive a response.

Vulnerability investigation and reporting:

Please contact us at bounty@maicoin.com if you have found a vulnerability, and use PGP encryption offered by MaiCoin when sending bug reports to us. MaiCoin Security Team will respond to your report within three work days, and will soon release the vulnerability fix according to its severity.

PGP Key:

Reward

Reward table:

Level	Reward(USDT)
Critical	3000
High	750
Medium	150
Low	30

Reward will paid out in USDT or in the equivalent amount of TWD. Once your submission is accepted, please provide either of the following to receive your reward.

Your USDT wallet address
Your TWD account number

Vulnerability description:

Types of impacts that MaiCoin would consider to be critical include:

Read /write sensitive data in a system.
SQL injection
Remote arbitrary code execution
Vertical authentication/authorization bypass
Exfiltrate digital or fiat currency
And other critical-severity issues

Types of impacts that MaiCoin would consider to be high include:

Server-side request forgery to an internal service
Stored/Reflected XSS in the core service
Lateral authentication/authorization bypass
And other high-severity issues

Types of impacts that MaiCoin would consider to be medium include:

Cross-site request forgery
Server-side request forgery
Sensitive information/data disclosure
Server misconfiguration or provisioning errors with the immediate risks
Arbitrary file upload with the immediate risks
And other medium-severity issues

Types of impacts that MaiCoin would consider to be low include:

Server misconfiguration or provisioning errors
Found demo/example configuration
General information disclosure
And other low-severity issues