Calling all white-hat hackers and testers to join our bug-bounty program
Introducing a Bug-Bounty program for our Vaults app, API calls and prod keys to plug the errors immediately and create a hack-proof infrastructure. We aim to promote responsible disclosure of security vulnerabilities through this program
Sr No.
Researcher Name
Vulnerability Name
Profile
Target sites to conduct your tests and follow the policies to report the bugs
Out-of-scope parameters
Any targets besides the one mentioned in the target list
All third-party applications used at Liminal
Note: Breaching any program policies may lead to legal consequences for the violator
Check out all the crucial rules to follow before you begin testing our infrastructure
- Users should only use their own accounts for testing or research.
- Accessing another user's account or confidential information is strictly prohibited.
- One vulnerability per report is recommended, except when vulnerabilities must be chained for impact.
- Only the first fully reproducible report will be rewarded in the case of duplicates.
- Multiple vulnerabilities originating from one issue are treated as one for bounty allocation.
- Testing for spam, social engineering, or denial of service issues is not allowed.
- Testing should not infringe on any laws or compromise unauthorised data.
- Responsible submission of findings safeguards against legal action, but Liminal retains its legal rights in non-compliance.
- Immediate contact is required if inadvertent exposure to user or financial transaction data occurs, and any local information must be purged upon reporting the vulnerability to Liminal.
Assess security impact by checking for the following scope of vulnerabilities in one attack scenario
Qualifying Vulnerabilities
- Balance Manipulation
- User Account Takeover
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (Only potential issues will be considered)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-Side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
- Exposed Administrative Panels that don’t require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD) and Remote File Inclusion (RFI)
- Gaining access to any of our servers
- Leakage of PII Information of individual or other users
Non-Qualifying vulnerabilities
- Any URIs leaked because a malicious app has permission to view URIs opened
- Absence of code obfuscation
- Self XSS
- Login/Logout cross-site request forgery
- Sensitive data in URLs/request bodies when protected by TLS
- Use of outdated software/library versions
- Path disclosure in the binary
- Snapshot/Pasteboard leakage
- Run-time hacking exploits (exploits only possible in a jail-broken/rooted environment)
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Bypassing client-side control mechanisms through scanners or tools or debuggers are considered to be known vulnerabilities; post-bypass, if there is any impact on users, then the Liminal product security team will review it
- Clickjacking and open-redirect are out of scope unless they impact users’ data
- Rate limiting on our services like resending verification emails, inviting members, subscribing to newsletters, or any others
- MFA before email verification allowed and MFA working after the password change
- Registering an account with any email available
- Password field accepting many characters
- DMARC related issues
- DNSSEC not set
Bigger the bug, bigger the cash reward
The security team assesses bug severity and rewards accordingly. All code changes earn a spot in the Hall of Fame, but more severe changes may also receive cash rewards