# Bug Bounty Program Welcome to the Bug Bounty Program at Blockscout! Ensuring the safety of our platform is a top priority, and we greatly appreciate the **crucial role security researchers play in contributing to open source**. Should you identify a possible security vulnerability within our platform, we invite you to join our bug bounty program and share your findings. ### How to report a security vulnerability Send us an email with the information below. We ask that you please keep your findings confidential during the reporting process. We will get back to you with our diagnosis or additional comments/questions within 10 days. 1. **Description of the bug/vulnerability** Clearly describe the vulnerability you've discovered. 2. **Steps to reproduce**\ Outline the steps needed to replicate the vulnerability. 3. **Impact analysis** Assess the potential impact of the vulnerability on users, developers, and the organization. 4. **Code fix (optional)**\ If possible and appropriate, you may include a suggested code fix for the vulnerability. 5. **Type of vulnerability** Choose a label that best fits the category of the bug for classification purposes. This aids in rewards distribution and participation. 6. **Additional Context** Provide any additional information that could help in understanding and resolving the issue. 7. **Email your report**\ Email your report to [security@blockscout.com](mailto:%22security%40blockscout.com%22%20%3Csecurity%40blockscout.com%3E) {% hint style="info" %} Information is also available on the [SECURITY page of our Github Repo](https://github.com/blockscout/.github/blob/7a136f9c6091bf8b03195224f8abe56305ebb795/SECURITY.md?plain=1#L3). {% endhint %} ### Rewards If you are the first person to report the issue and we make a code or configuration change based on your findings, we will reward you with a bounty and mention in our [🏛Security Hall of Fame](#security-hall-of-fame)! Issue risk level is determined by our team. 1. **Critical Risk**: Up to $6000 in crypto equivalent. 2. **High Risk**: Up to $1000 in crypto equivalent. 3. **Moderate Risk**: Up to $500 in crypto equivalent. 4. **Low Risk**: Up to $100 in crypto equivalent. All bounty researchers will be acknowledged (at your discretion) for your efforts in our documentation. ### Bounty Considerations Vulnerabilities in the following areas are eligible for bounty consideration. * Business logic bugs or problems * Remote code execution (RCE) * Database vulnerability, SQLi * File inclusions (Local & Remote) * Access Control Issues (IDOR, Privilege Escalation, etc) * Sensitive information leaks * Server-Side Request Forgery (SSRF) * Other vulnerability with a clear potential loss ### **Out of Scope Items** Unless presenting a serious business risk (at our discretion), the following are typically not eligible for rewards: * Minor visual bugs, spelling errors, etc. * Social engineering tactics (e.g., phishing) * Issues in applications or systems not listed in the scope * UI/UX bugs, data entry errors, and typos * Network level Denial of Service (DoS/DDoS) vulnerabilities * Certificate/TLS/SSL issues * DNS configuration problems * Server configuration issues (open ports, TLS configurations, etc.) * Spam or social engineering techniques * Security flaws in third-party apps or services * Non-impactful XSS exploits * CSRF-XSS issues related to login/logout * Issues related to https/ssl or server-info disclosure * Mixed Content Scripts * Brute Force attacks * General best practices concerns * Recently disclosed 0day vulnerabilities * Username/email enumeration via error messages * Missing HTTP security headers * Weak password policies * HTML injection ## 🏛 Security Hall of Fame {% hint style="success" %} Thank you for your help keeping vital public infrastructure like block explorers safe and secure! {% endhint %} * blackgrease: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.quaiscan.io/resources/bug-bounty-program.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.