ViaWallet Security Bounty Program aims to provide global users with a secure, stable, and efficient digital currency trading platform. This program divides potential vulnerabilities into three levels (L1 to L3) based on risks. To encourage more users and white hats to discover and report security vulnerabilities, a bounty payment of up to 5,000 USDT will be rewarded to those who submit valid reports.
The principles, rewards, and evaluation criteria of the ViaWallet Security Bounty Program are outlined below.
1. ViaWallet attaches great importance to the security of its products and services. We promise to follow up, evaluate and fix all reported issues and respond to all reports timely.
2. To ensure effective follow-up, ViaWallet may need assistance from the security researcher to reproduce the issue.
3. ViaWallet highlights responsible vulnerability disclosure and handling. We promise to offer recognition and reward to every user who adheres to the white hat spirit, protects users' interests, and helps ViaWallet improve security.
4. ViaWallet opposes and condemns all hacking activities that use vulnerability testing as an excuse to damage the interests of ViaWallet users, including but not limited to exploiting vulnerabilities to violate user privacy and steal digital assets, invade business systems, steal user data, and maliciously spread vulnerabilities.
5. ViaWallet opposes and condemns all acts of using security vulnerabilities to intimidate users and attack competitors.
6. ViaWallet reserves the right to make a final interpretation of the security bounty program at any time.
Rewards and Evaluation Criteria
- Level 1
Definition: Vulnerabilities of this level may pose limited hazards or potential security risks.
(1) Misuse of the verification code interface, brute force attacks on verification codes and passwords
(2) Less harmful vulnerabilities such as CSRF attacks with non-sensitive operations, and SPF mail forgery.
(3) Vulnerabilities that affect the availability and stability of the system, causing a response failure of the system.
- Level 2
Definition: Vulnerabilities of this level compromise sensitive information or asset security. They may cause certain impacts or asset losses.
(1) Vulnerabilities such as XSS and CSRF attacks that affect some users, cause the leakage of users' credentials or trigger unauthorized sensitive operations.
(2) Vulnerabilities in verification logic, password reset, etc. that can be exploited to access user accounts.
(3) Vulnerabilities in product design that compromise data and asset security
Definition: Vulnerabilities of this level can cause severe asset loss or massive leakage of sensitive information.
(1) Vulnerabilities that damage the security of user assets or company property, such as private key leakage, deposit vulnerabilities, etc.
(2) High-risk vulnerabilities such as SQL injection, remote code execution, etc. that allow unauthorized system access to obtain system permissions.
(3) Unauthorized access to sensitive information, such as unauthorized access to user accounts, illegal access to sensitive data in the system backend, etc.
Security Bounty Program Process
1. Submit a report
Note: The report should be as detailed as possible, including text, URL, screenshots, etc. If necessary, attach a file.
2. Vulnerability investigation and evaluation
(1) Within three working days, ViaWallet will review the report and investigate the issue.
(2) Within seven working days, ViaWallet will give a conclusion and determine the vulnerability level. If necessary, we will confirm further with the researcher and your assistance would be much appreciated.
3. Fix the reported issue
(1) Our technical department will fix the reported security issue and schedule an update. The repair time depends on the severity of the issue and technical difficulties. For security issues in the clients, the repair time depends on the situation since it's affected by the release schedule.
(2) The researcher can review whether the security issue is fixed.
4. Final stage
After the repair is completed, ViaWallet will distribute the USDT-TRC20 bounty rewards to the security researcher according to the “Reward and Evaluation Criteria”.
Q: Will ViaWallet disclose the information related to the vulnerability report?
A: In order to protect users' interests and privacy, we will not publicly disclose any information about the report.
Q: Is the ViaWallet Security Bounty Program a disguise for using rewards to conceal security issues?
A: No. First of all, ViaWallet believes that related information should not be disclosed in order to protect users’ interests and privacy, which is also a common practice in the industry. Secondly, the rewards are intended to express gratitude and respect to the security researcher, instead of concealing security issues.
Q: Will ViaWallet “ignore” the vulnerability and then secretly fix it?
A: Absolutely not. If a vulnerability report is “ignored”, our staff will explain the reason in the report feedback. Usually, this happens because the "vulnerability" is not considered a vulnerability but evaluated as a BUG. ViaWallet will not “secretly fix the vulnerability” in any case.