Bug Bounty Program

  • Scope, Policy and Reward

Scope

Policy

  • Please provide MaiCoin detailed reports with reproducible steps.
  • Provide MaiCoin a reasonable amount of time to resolve the issue.
  • Please do not disclose any vulnerabilities, any information you reported to MaiCoin, and any feedback from MaiCoin regarding the vulnerabilities to any third party without the prior written consent of MaiCoin even if the vulnerabilities have been resolved. 
  • Do not attempt to view, modify, or damage data belonging to others.
  • MaiCoin is entitled to terminate the program or revise the clauses of this program unilaterally in any time.

In the same time, you are eligible for monetary rewards only if you have met all the following conditions:

  • The reporter must be the first person to report the issue to us. We will review the duplicate bugs to see if they provide additional information, but otherwise only reward the first reporter.
  • The vulnerability you reported is confirmed to be verifiable, reproducible, exploitable, and included in the scope.
  • The reporter have complied with the program terms and regulations.
  • The reporter have to report the issue before the program is terminated.

Additionally, all vulnerabilities that require or are related to the following are out of scope:

  • Social engineering(e.g. phishing).
  • Physical security.
  • Non-security-impacting UX issues.
  • Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR. 
  • Missing best practices in SSL/TLS configuration.
  • Self-XSS and issues exploitable only through Self-XSS.
  • Clickjacking on pages with no sensitive actions.
  • Related to tab-jacking, tab-nabbing, and text injection.
  • Related to DNS over HTTPS, DNSSEC, and DNS CAA record.
  • Attacks requiring MITM, physical access or privileged access(e.g. root a phone) to a user's device.
  • Any activity that could lead to the denial/degradation of service (DoS).
  • Enforcement policies for brute force or account lockout.
  • Missing security headers.
  • Unauthenticated/logout/login CSRF.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Unconfirmed reports from automated vulnerability scanners.
  • Disclosure of server or software version numbers.
  • Disclosure of known public files and other information disclosures that are not a risk (e.g. robots.txt).
  • Disclosure of information with minimal security impact (e.g. stack traces, path or directory listing, logs).
  • Theoretical sub-domain takeovers with no supporting evidence.
  • Vulnerabilities or weaknesses in third party applications that integrate with MaiCoin.
  • Issues only present in end-of-life software.
  • Ability to abuse existing banking functionality.
  • Exposure of the IP address or domains.
  • Spamming or Un-limiting Email rate.

Participants shall not perform:

  • Any act that violates the rights of others or the law.
  • Spamming MaiCoin users arbitrarily with spam messages.
  • Viewing, deletion, modification or disclosure of other users’ data using the discovered vulnerability.
  • Viewing, deletion, modification or disclosure of source code using the discovered vulnerability.
  • Any act other than those listed above that is contrary to the spirit and purpose of the program.

MaiCoin will make a best effort to adhere to the following response targets:

Type of responseBusiness day
First response3 days
Time to triage7 days
Time to bounty30 days

Inquiries regarding the program:

All inquiries regarding the program are to be submitted to the [email protected]. Inquiries sent by any other method will not receive a response.


Vulnerability investigation and reporting:

Please contact us at [email protected] if you have found a vulnerability, and use PGP encryption offered by MaiCoin when sending bug reports to us. MaiCoin Security Team will respond to your report within three work days, and will soon release the vulnerability fix according to its severity.


PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF3U3oQBEADRxIkFpeCD7Wy8mlKRtswIopjzvsDpzeIfYx56Sp+/4+agMsL2
hHBWacLYlja9U2dIUizQwKSUT8kDeiLyZF9EUd2napbQLtALHok/NoD+BZtrPkUA
s0k1IK2YiS3tc56IomNgxUN88kWwFe4dmGyRWe3YfgcVT57VZcP/jI5HigoOb8Qa
slwcQGzoWmbgc5kVhGzS1EHZRFebB1fCCkxFxmxpyMUBhMmUOV02urRYli9EPjqE
bYKE0pE6J6avr3ijvZ5cb+Z/cnMSZooEUPPRfDJOKSbch8wUT6CVb0CjMQs1TA6+
/0FPvsjK/aPo/dq1IE191uo8yrP/BWScKAn6XmJQOjM+EFvGM9Doo3EkhnWf4S7O
XFX/5zVNjdIMBwyKVrbbDxRk+JNHxIvFjHFMkEcF+0CPsDaeMeGtjHoN36KgrDR0
IIlza78Kn0g8erxvSnuawJdSMtBD1Qiv74p4Vdqhl+QkupKQMfYApsHOh+ANymqg
aS981/1baQad1yqNrRi4Opx+JhnPC/WMup0wd/jlI5lOCtVKHF45TI2McNIrds7H
oalmCSVl9Y5qLdqxgnOV5Cq6EexrH4ZXlbWifINgNWKDQHW8ZfjrXGAQjNk+3u/X
LuueobqsxVve6aHdJeNOW2b2TTv1MpF+4wkjcmj490vhtl3GQbgvAa/viwARAQAB
tCpNYWlDb2luIFNlY3VyaXR5IFRlYW0gPGJvdW50eUBtYWljb2luLmNvbT6JAlQE
EwEIAD4WIQSfRg270GPVPXb8HAwwPU4qAj51iAUCXdTehAIbAwUJB4YfgAULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRAwPU4qAj51iH6JEAC8h6jnXjZ7n2i7qfWB
c604XYhyxq+9GuGRZ0Y79+7IDtT2hjbWYCrXoB48GJyu8FBd9DJvCQUnF8sI6umW
4tjQ0LLWcW8/u+RvqO391iUOueAd+JuLjIjYKskbJmWy+eqHMOgUbbtTHf3iKWwc
GB8hMmGsY4/GM4cPmhzBiL4FH0ltWfLQQWptoHmB48R87qkDFuRx51rNguSEGxqo
YAC4yaBdt3vUhVeN8189q6JS4r/gifblnWm2UYXnZSakN8jJwCe8E1DxlS+e/A3B
jgEn9uVyQsxLDP3Ygy1MCdLHm6maW+G44SBJIGShN51QEi5tQCO3gqmdZl2BzieI
LXd5KQzivezU1x7HHuuD7M3uWwtTjPUQ+dAc8YXzW2epkjwT3DKQZF83sIUrBNac
Np90um3vSrHCLCnc561KOc0TLCkMdHmIjlKL2UtW38HCZOvrpu7XL5xUP52J4f7W
IuH1A+lBbbPYN+xh0t9U7ypnFfO+kGZzVf8EFg9tPtMJ3N7e5MZNEWauQSetBZBM
B2BDVgChwNUNRdTMB1W4JUedyUYu2Oqg7oPXXAQq9ijc5zYsI4q1t5gYxxl4YkcJ
P5EDHmb0r9LcT1UpXNKucch7m4fl//HzGcDUUaVJs9tVnmb2NgUkv6FNbCoa2keH
yuD4qLzK6auYBaVI9YqqnMPXx7kCDQRd1N6EARAAsCzXLEssyJPrMGS1qAueKW18
kTf/0NtKoZg3TPxTlpZv9riSATL52xMpJ2ohWBic1jqxvlG7A4leymR0T3by6Jxq
rYWMUZhpiHvInZKC1vGgk3ctu2UaTPcB5dmIKuAFNgwir0Z3wej9dxI8DFN6K2+B
27DLljhDzVOGrtZ5vNXomL4LXyDp0ZeNrNXEwEmWZffTVdtNF0z5PZX3gVXGIav7
DmLrstaHocqUfcP17I0nM4yRMw1x7DMUjurOW9bRVEmN9BM7SAibIzMefBvJ59KF
ps36FiYJ/bRw1ez9qDFxytXyFdZAr5M+ToMEhLkofwaygE68i657CMsSbnnODNKI
gbQDbd9JMCqGrk5FXu3/0x4UOGHp7loVSRaQhHC4pwZP4vuovpMFjirzMAn9h6Qs
efG3JWoqtfZM9yh09JLtX79qq7Rw7Gf6TkSuVQgYPwa6rG/QJ2/dzJh8RGW94kdP
yNMDd8P4N3tlxXdmvP0/pkDuhK0xoePUlnu83KGaj1Jqr9RFwP5hz5BBC3Ckw4vw
phQvRcU9JeeI0QtoGecsjRyIM6/SMuyTtKBvDVbySU1tiitnH3Acjh+MYElzYJ4Y
UpMd8Fwq71mHENc+2aOUZm3Vrb0qY+r9Xb2ajQy6OgpNpSkqVIh4sVlkeK/X7aVc
EuuoDeNh+JOtVQZUjAMAEQEAAYkCPAQYAQgAJhYhBJ9GDbvQY9U9dvwcDDA9TioC
PnWIBQJd1N6EAhsMBQkHhh+AAAoJEDA9TioCPnWIaMsP/AnYjt1Jv4zmL19QipyW
+yoFHIkq5HFccoKs9wuqB0OafgYFeRWk2KDee627JMoafw2xkm+DIFxJd320twP5
LdNL3FkX8Bf/PEkUfz/i4r3y6nrteHREwiaUAO/NoaTVPNKyULbOxBWYCmY5bBxz
M4y8FeaonTLxOk62AmC48aob2wUmSaRJqYmNNDo8r7d/f82t1h46SSZVT8yDT8xX
3+duoq1yjmcbc7Mp372rUD4YlKvM7buCxMgPwDKihlyb3sEKuloGJNwI0x779Bhd
xfhwYJNZuk21Sh1mr7/je9YAGRSIuvHMzOypQF2A0FTHROkl2y2V5X1G8Ex3GKlG
uhsIJL7wSavSyixnC19M0IHpjAT1nPGnLdDrsmXxl2ZcZDvnfIIUyR93tWrGiFfa
Bbw+RXYaY5kvGeOhbqDbme7/lQJbxwDPafNpCn+DFKNtdvJD5ttaUHPUJuX7ASG1
6oxIRK9jZDJOShJ4OA7OpntifSE74pY2gvMgxN9CLSuXUySsGm8d5GpzkYJlh8rk
B4Rv81rf7TtMHHTNMOrC+0p2lGNv15oOLg0cvnM0KwHv65VRgJUHzTddOgLLdI2F
gxSFh5OGQNzGXZlxdA78KTK50oSRwPjSRsTgEjKLacI7ADrXevI/QQIUhWCXkqVp
PhOKrzFmHosS4TdnVJf2f3CO
=FagH
-----END PGP PUBLIC KEY BLOCK-----

Reward

Reward table:

LevelReward(USDT)
Critical3000
High750
Medium150
Low30

Reward will paid out in USDT or in the equivalent amount of TWD. Once your submission is accepted, please provide either of the following to receive your reward.

  • Your USDT wallet address
  • Your TWD account number


Vulnerability description:

Types of impacts that MaiCoin would consider to be critical include:

  • Read /write sensitive data in a system.
  • SQL injection
  • Remote arbitrary code execution
  • Vertical authentication/authorization bypass
  • Exfiltrate digital or fiat currency
  • And other critical-severity issues

Types of impacts that MaiCoin would consider to be high include:

  • Server-side request forgery to an internal service
  • Stored/Reflected XSS in the core service
  • Lateral authentication/authorization bypass
  • And other high-severity issues

Types of impacts that MaiCoin would consider to be medium include:

  • Cross-site request forgery
  • Server-side request forgery
  • Sensitive information/data disclosure
  • Server misconfiguration or provisioning errors with the immediate risks
  • Arbitrary file upload with the immediate risks
  • And other medium-severity issues

Types of impacts that MaiCoin would consider to be low include:

  • Server misconfiguration or provisioning errors
  • Found demo/example configuration
  • General information disclosure
  • And other low-severity issues

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.