漏洞懸賞計畫

計畫範圍、政策和獎金

範圍

政策

  • 請提供MaiCoin詳細的漏洞報告並包含可重現漏洞的步驟。
  • 請給予MaiCoin合理的時間執行修補計畫並修復漏洞。
  • 未經MaiCoin事前書面同意,請勿揭露任何漏洞、任何您回報給MaiCoin的資訊,及任何MaiCoin回饋給您關於漏洞的資訊予任何第三方。即使該漏洞已被修補,亦同。
  • 請勿嘗試瀏覽、更動或是破壞屬於其他使用者的資料。
  • MaiCoin得隨時單方終止本計畫或修改本計劃的所有條款和規定。

同時,您必須符合下列所有條件,才有資格獲得獎金:

  • 您是第一位回報特定安全性漏洞的研究人員。
  • 您回報的安全性問題經確認為可驗證、可重現、可利用且包含在計畫範圍內。
  • 您遵守本計畫的所有條款和規定。
  • 您於本計畫終止之前回報。

另外,所有下列相關的漏洞皆不在本計畫範圍內:

  • Social engineering(e.g. phishing).
  • Physical security.
  • Non-security-impacting UX issues.
  • Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR. 
  • Missing best practices in SSL/TLS configuration.
  • Self-XSS and issues exploitable only through Self-XSS.
  • Clickjacking on pages with no sensitive actions.
  • Related to tab-jacking, tab-nabbing, and text injection.
  • Related to DNS over HTTPS, DNSSEC, and DNS CAA record.
  • Attacks requiring MITM, physical access or privileged access(e.g. root a phone) to a user's device.
  • Any activity that could lead to the denial/degradation of service (DoS).
  • Enforcement policies for brute force or account lockout.
  • Missing security headers.
  • Unauthenticated/logout/login CSRF.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Unconfirmed reports from automated vulnerability scanners.
  • Disclosure of server or software version numbers.
  • Disclosure of known public files and other information disclosures that are not a risk (e.g. robots.txt).
  • Disclosure of information with minimal security impact (e.g. stack traces, path or directory listing, logs).
  • Theoretical sub-domain takeovers with no supporting evidence.
  • Vulnerabilities or weaknesses in third party applications that integrate with MaiCoin.
  • Issues only present in end-of-life software.
  • Ability to abuse existing banking functionality.
  • Exposure of the IP address or domains.
  • Spamming or Un-limiting Email rate.

本計畫的參與者不得:

  • 侵犯其他人權利或是法律的任何行為
  • 寄送垃圾郵件給MaiCoin使用者
  • 使用發現的漏洞閱覽、刪除、修改或揭露其他使用者的資料
  • 使用發現的漏洞閱覽、刪除、修改或揭露系統原始碼
  • 任何上列行為以外,違反本計畫精神與目的的行為

MaiCoin會盡最大努力遵守以下回應時間目標:

回應類型工作日
初次回應3日
初步分類7日
獎勵發放30日

 有關本計畫的詢問:

所有相關的詢問均應發送至 [email protected],使用其他方式發出的詢問皆不會收到任何回應。


漏洞調查與回報:

發現安全性問題,請使用 [email protected] 聯絡我們。回報安全弱點時,請使用MaiCoin提供的PGP金鑰加密漏洞資訊。MaiCoin安全團隊將於三個工作日內回覆您,並依據問題的嚴重性儘速修正問題。

PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF3U3oQBEADRxIkFpeCD7Wy8mlKRtswIopjzvsDpzeIfYx56Sp+/4+agMsL2
hHBWacLYlja9U2dIUizQwKSUT8kDeiLyZF9EUd2napbQLtALHok/NoD+BZtrPkUA
s0k1IK2YiS3tc56IomNgxUN88kWwFe4dmGyRWe3YfgcVT57VZcP/jI5HigoOb8Qa
slwcQGzoWmbgc5kVhGzS1EHZRFebB1fCCkxFxmxpyMUBhMmUOV02urRYli9EPjqE
bYKE0pE6J6avr3ijvZ5cb+Z/cnMSZooEUPPRfDJOKSbch8wUT6CVb0CjMQs1TA6+
/0FPvsjK/aPo/dq1IE191uo8yrP/BWScKAn6XmJQOjM+EFvGM9Doo3EkhnWf4S7O
XFX/5zVNjdIMBwyKVrbbDxRk+JNHxIvFjHFMkEcF+0CPsDaeMeGtjHoN36KgrDR0
IIlza78Kn0g8erxvSnuawJdSMtBD1Qiv74p4Vdqhl+QkupKQMfYApsHOh+ANymqg
aS981/1baQad1yqNrRi4Opx+JhnPC/WMup0wd/jlI5lOCtVKHF45TI2McNIrds7H
oalmCSVl9Y5qLdqxgnOV5Cq6EexrH4ZXlbWifINgNWKDQHW8ZfjrXGAQjNk+3u/X
LuueobqsxVve6aHdJeNOW2b2TTv1MpF+4wkjcmj490vhtl3GQbgvAa/viwARAQAB
tCpNYWlDb2luIFNlY3VyaXR5IFRlYW0gPGJvdW50eUBtYWljb2luLmNvbT6JAlQE
EwEIAD4WIQSfRg270GPVPXb8HAwwPU4qAj51iAUCXdTehAIbAwUJB4YfgAULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRAwPU4qAj51iH6JEAC8h6jnXjZ7n2i7qfWB
c604XYhyxq+9GuGRZ0Y79+7IDtT2hjbWYCrXoB48GJyu8FBd9DJvCQUnF8sI6umW
4tjQ0LLWcW8/u+RvqO391iUOueAd+JuLjIjYKskbJmWy+eqHMOgUbbtTHf3iKWwc
GB8hMmGsY4/GM4cPmhzBiL4FH0ltWfLQQWptoHmB48R87qkDFuRx51rNguSEGxqo
YAC4yaBdt3vUhVeN8189q6JS4r/gifblnWm2UYXnZSakN8jJwCe8E1DxlS+e/A3B
jgEn9uVyQsxLDP3Ygy1MCdLHm6maW+G44SBJIGShN51QEi5tQCO3gqmdZl2BzieI
LXd5KQzivezU1x7HHuuD7M3uWwtTjPUQ+dAc8YXzW2epkjwT3DKQZF83sIUrBNac
Np90um3vSrHCLCnc561KOc0TLCkMdHmIjlKL2UtW38HCZOvrpu7XL5xUP52J4f7W
IuH1A+lBbbPYN+xh0t9U7ypnFfO+kGZzVf8EFg9tPtMJ3N7e5MZNEWauQSetBZBM
B2BDVgChwNUNRdTMB1W4JUedyUYu2Oqg7oPXXAQq9ijc5zYsI4q1t5gYxxl4YkcJ
P5EDHmb0r9LcT1UpXNKucch7m4fl//HzGcDUUaVJs9tVnmb2NgUkv6FNbCoa2keH
yuD4qLzK6auYBaVI9YqqnMPXx7kCDQRd1N6EARAAsCzXLEssyJPrMGS1qAueKW18
kTf/0NtKoZg3TPxTlpZv9riSATL52xMpJ2ohWBic1jqxvlG7A4leymR0T3by6Jxq
rYWMUZhpiHvInZKC1vGgk3ctu2UaTPcB5dmIKuAFNgwir0Z3wej9dxI8DFN6K2+B
27DLljhDzVOGrtZ5vNXomL4LXyDp0ZeNrNXEwEmWZffTVdtNF0z5PZX3gVXGIav7
DmLrstaHocqUfcP17I0nM4yRMw1x7DMUjurOW9bRVEmN9BM7SAibIzMefBvJ59KF
ps36FiYJ/bRw1ez9qDFxytXyFdZAr5M+ToMEhLkofwaygE68i657CMsSbnnODNKI
gbQDbd9JMCqGrk5FXu3/0x4UOGHp7loVSRaQhHC4pwZP4vuovpMFjirzMAn9h6Qs
efG3JWoqtfZM9yh09JLtX79qq7Rw7Gf6TkSuVQgYPwa6rG/QJ2/dzJh8RGW94kdP
yNMDd8P4N3tlxXdmvP0/pkDuhK0xoePUlnu83KGaj1Jqr9RFwP5hz5BBC3Ckw4vw
phQvRcU9JeeI0QtoGecsjRyIM6/SMuyTtKBvDVbySU1tiitnH3Acjh+MYElzYJ4Y
UpMd8Fwq71mHENc+2aOUZm3Vrb0qY+r9Xb2ajQy6OgpNpSkqVIh4sVlkeK/X7aVc
EuuoDeNh+JOtVQZUjAMAEQEAAYkCPAQYAQgAJhYhBJ9GDbvQY9U9dvwcDDA9TioC
PnWIBQJd1N6EAhsMBQkHhh+AAAoJEDA9TioCPnWIaMsP/AnYjt1Jv4zmL19QipyW
+yoFHIkq5HFccoKs9wuqB0OafgYFeRWk2KDee627JMoafw2xkm+DIFxJd320twP5
LdNL3FkX8Bf/PEkUfz/i4r3y6nrteHREwiaUAO/NoaTVPNKyULbOxBWYCmY5bBxz
M4y8FeaonTLxOk62AmC48aob2wUmSaRJqYmNNDo8r7d/f82t1h46SSZVT8yDT8xX
3+duoq1yjmcbc7Mp372rUD4YlKvM7buCxMgPwDKihlyb3sEKuloGJNwI0x779Bhd
xfhwYJNZuk21Sh1mr7/je9YAGRSIuvHMzOypQF2A0FTHROkl2y2V5X1G8Ex3GKlG
uhsIJL7wSavSyixnC19M0IHpjAT1nPGnLdDrsmXxl2ZcZDvnfIIUyR93tWrGiFfa
Bbw+RXYaY5kvGeOhbqDbme7/lQJbxwDPafNpCn+DFKNtdvJD5ttaUHPUJuX7ASG1
6oxIRK9jZDJOShJ4OA7OpntifSE74pY2gvMgxN9CLSuXUySsGm8d5GpzkYJlh8rk
B4Rv81rf7TtMHHTNMOrC+0p2lGNv15oOLg0cvnM0KwHv65VRgJUHzTddOgLLdI2F
gxSFh5OGQNzGXZlxdA78KTK50oSRwPjSRsTgEjKLacI7ADrXevI/QQIUhWCXkqVp
PhOKrzFmHosS4TdnVJf2f3CO
=FagH
-----END PGP PUBLIC KEY BLOCK-----

獎金

獎金表:

嚴重等級獎金(USDT)
嚴重3000
750
150
30

獎金將會使用USDT或等值的新台幣支付,當您提出的漏洞被確認並接受後,請提供以下任一資訊作為領取獎金的管道:

  • 您的 USDT 錢包地址
  • 您的新台幣銀行帳戶

漏洞等級描述:

MaiCoin認為”嚴重”風險等級的漏洞包含:

  • Read /write sensitive data in a system.
  • SQL injection
  • Remote arbitrary code execution
  • Vertical authentication/authorization bypass
  • Exfiltrate digital or fiat currency
  • And other critical-severity issues

MaiCoin認為”高”風險等級的漏洞包含:

  • Server-side request forgery to an internal service
  • Stored/Reflected XSS in the core service
  • Lateral authentication/authorization bypass
  • And other high-severity issues

MaiCoin認為”中”風險等級的漏洞包含:

  • Cross-site request forgery
  • Server-side request forgery
  • Sensitive information/data disclosure
  • Server misconfiguration or provisioning errors with the immediate risks
  • Arbitrary file upload with the immediate risks
  • And other medium-severity issues

MaiCoin認為”低”風險等級的漏洞包含:

  • Server misconfiguration or provisioning errors
  • Found demo/example configuration
  • General information disclosure
  • And other low-severity issues

這是否有幫助?

發送反饋意見
很抱歉我們沒能幫上忙,請用您的反饋意見幫助我改善這情況。