BTC: $10 692

-1.84%

ETH: $353

-1.25%

CoinGecko Bug Bounty Program
CoinGecko Bug Bounty Program
CoinGecko provides a fundamental analysis of the crypto market. In addition to tracking price, volume and market capitalization, CoinGecko tracks community growth, open-source code development, major events and on-chain metrics.
BOUNTY CAMPAIGN
CoinGecko Bug Bounty Program
Activity type:
Bug Bounty
Dates:
22 Jul 2020
TBA
Registration:
OPEN
Personal reward:
$900+
 
(Not set)
Difficulty:
HARD
Links:
Ends in: 
  • Focus Area
    IN-SCOPE VULNERABILITIES

    We are interested in the following vulnerabilities:
    • Business logic issues
    • Remote code execution (RCE)
    • Database vulnerability, SQLi
    • File inclusions (Local & Remote)
    • Access Control Issues (IDOR, Privilege Escalation, etc)
    • Leakage of sensitive information
    • Server-Side Request Forgery (SSRF)
    • Other vulnerability with a clear potential loss
    TargetTypeSeverityReward
    *.coingecko.com
    WebCriticalBounty
    api.coingecko.com
    Documentation: https://www.coingecko.com/en/api
    APICriticalBounty
    Android App
    https://play.google.com/store/apps/details?id=com.coingecko.coingeckoapp
    AndroidCriticalBounty
    iOS App
    https://apps.apple.com/us/app/coingecko-bitcoin-crypto-app/id1390323960
    iOSCriticalBounty
    Chrome Extension
    https://chrome.google.com/webstore/detail/coingecko-bitcoin-cryptoc/ofmoicejmilkphppeoekfhbpkleppdlb
    ExtensionCriticalBounty


    OUT-OF-SCOPE VULNERABILITIES

    OUT OF SCOPE - WEB
    Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
    • Vulnerabilities in third-party applications
    • Best practices concerns
    • Recently (less than 30 days) disclosed 0day vulnerabilities
    • Vulnerabilities affecting users of outdated browsers or platforms
    • Social engineering, phishing, physical, or other fraud activities
    • Publicly accessible login panels without proof of exploitation
    • Reports that state that software is out of date/vulnerable without a proof of concept
    • Vulnerabilities involving active content such as web browser add-ons
    • Most brute-forcing issues without clear impact
    • Denial of service
    • Theoretical issues
    • Moderately Sensitive Information Disclosure
    • Spam (sms, email, etc)
    • Missing HTTP security headers
    • Infrastructure vulnerabilities, including:
      • Certificates/TLS/SSL related issues
      • DNS issues (i.e. MX records, SPF records, etc.)
      • Server configuration issues (i.e., open ports, TLS, etc.)
    • Open redirects
    • Session fixation
    • User account enumeration
    • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
    • Descriptive error messages (e.g. Stack Traces, application or server errors)
    • Self-XSS that cannot be used to exploit other users
    • Login & Logout CSRF
    • Weak Captcha/Captcha Bypass
    • Lack of Secure and HTTPOnly cookie flags
    • Username/email enumeration via Login/Forgot Password Page error messages
    • CSRF in forms that are available to anonymous users (e.g. the contact form)
    • OPTIONS/TRACE HTTP method enabled
    • Host header issues without proof-of-concept demonstrating the vulnerability
    • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
    • Content Spoofing without embedded links/HTML
    • Reflected File Download (RFD)
    • Mixed HTTP Content
    • HTTPS Mixed Content Scripts
    • DoS/DDoS issues
    TargetTypeSeverityReward
    blog.coingecko.com
    WebNone--
    landing.coingecko.com
    WebNone--
    assets.coingecko.com
    WebNone--
    newsletter.coingecko.com
    WebNone--
    selfserve.coingecko.com
    WebNone--


    OUT OF SCOPE - MOBILE
    • Attacks requiring physical access to a user's device
    • Vulnerabilities requiring extensive user interaction
    • Exposure of non-sensitive data on the device
    • Reports from static analysis of the binary without PoC that impacts business logic
    • Lack of obfuscation/binary protection/root(jailbreak) detection
    • Bypass certificate pinning on rooted devices
    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Sensitive data in URLs/request bodies when protected by TLS
    • Path disclosure in the binary
    • OAuth & app secret hard-coded/recoverable in IPA, APK
    • Sensitive information retained as plaintext in the device’s memory
    • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
    • Any kind of sensitive data stored in app private directory
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
    • Shared links leaked through the system clipboard
    • Any URIs leaked because a malicious app has permission to view URIs opened.
    • Exposure of API keys with no security impact (Google Maps API keys etc.)
    Program Rules
    • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
    • Make every effort not to damage or restrict the availability of products, services or infrastructure
    • Avoid compromising any personal data, interruption or degradation of any service
    • Don’t access or modify other user data, localize all tests to your accounts
    • Perform testing only within the scope
    • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
    • Don’t spam forms or account creation flows using automated scanners
    • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
    • Don’t break any law and stay in the defined scope
    • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

    Links:
    COMMENTS