Join CryptoRank Bug Bounty Campaign! – Cryptorank News

Attention all security researchers and crypto enthusiasts! We’re excited to announce that we’re launching a bug bounty campaign on CryptoRank.io in partnership with Crew3.

Our mission is to build a secure and reliable platform for the cryptocurrency community, and we believe that working with the wider community is key to achieving this goal. That’s why we’re inviting all security experts to help us find and fix any potential vulnerabilities on our platform.

The bug bounty program covers all components of CryptoRank.io, including business logic issues, UX/UI design, market metrics, and others.

Share a $10,000 Reward Pool!

Cash rewards will be offered for eligible bugs, starting at $20 and going up to $250, depending on the severity and complexity of the issue, with a total prize fund of $10,000! Minor issues will be rewarded with Spaceships 🚀 (internal currency).

Range Of Bounty For Severity Vulnerabilities And Bugs

Technical bugs and Business logic issues:

  • Critical — $250
  • Major — $150 
  • Minor — $50
  • Trivial — $20

Errors in data and typos:

  • Significant — 🚀500
  • High — 🚀250 
  • Moderate — 🚀150
  • Low — 🚀50

To learn more about Spaceships 🚀, visit https://cryptorank.io/earn/rewards

We welcome your ideas for improvements and new features! The best suggestions will be rewarded as decided by the team.

Campaign Rules

  • Avoid using web application scanners for automated vulnerability searching that generate massive traffic.
  • Make every effort not to damage or reduce the availability of products, services or infrastructure.
  • Avoid compromising any personal data, interruption or degradation of any service.
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Perform testing only within the scope.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • Don’t spam forms or account creation flows using automated scanners.
  • In case you find several related vulnerabilities, we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope.
  • Any details of vulnerabilities found must not be disclosed to anyone who is not a CryptoRank employee without proper authorisation.

Focus Area

In-scope Vulnerabilities

We are interested in identifying and addressing the following vulnerabilities:

  • Business logic issues.
  • Remote code execution (RCE).
  • Vulnerabilities in the database, including SQL injection (SQLi).
  • File inclusions (Local & Remote).
  • Access control issues (IDOR, privilege escalation, etc.).
  • Leakage of confidential or sensitive information.
  • Server-side request forgery (SSRF).
  • Other vulnerabilities that have a clear potential for loss.

Out-of-scope Vulnerabilities

Out-of-scope — Web

Vulnerabilities found in out-of-scope resources are unlikely to be rewarded, unless they present a serious business risk (at our sole discretion). 

The following vulnerabilities do not meet the severity threshold:

  • Third party application vulnerabilities.
  • Best practices concerns.
  • Recent (less than 30 days) 0-day security vulnerability disclosures.
  • Vulnerabilities that affect users of out-of-date browsers or out-of-date platforms.
  • Social engineering, phishing, physical fraud or any other fraudulent activity.
  • Publicly accessible login panels without proof of exploitation.
  • Reports stating that software is out of date/vulnerable without proof of concept.
  • Vulnerabilities related to active content, such as add-ons to web browsers.
  • Most brute-force issues with no clear impact.
  • Denial of service.
  • Theoretical issues.
  • Disclosure of moderately sensitive information.
  • Spam (SMS, email, etc.).
  • Missing HTTP security headers.
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues;
    • DNS issues (i.e., MX records, SPF records, DMARC records, etc.);
    • Server configuration issues (i.e., open ports, TLS, etc.);
    • Open redirects;
    • Session fixation;
    • User account enumeration.
  • Clickjacking/tapjacking and issues that can only be exploited through clickjacking/tapjacking.
  • Explanatory error messages (such as stacktrace, application or server errors).
  • Self-XSS that cannot be the subject of exploitation by other users.
  • Login and Logout CSRF.
  • Weak Captcha/Captcha Bypass.
  • Lack of secure and HTTPOnly cookie flags.
  • Username/email enumeration via Login/Forgot Password Page error messages.
  • CSRF in forms that are available to anonymous users (e.g., the contact form).
  • OPTIONS/TRACE HTTP method enabled.
  • Host header issues without a proof of concept that demonstrates the vulnerability.
  • Content spoofing and text injection issues where no attack vector is visible/no HTML/CSS modification is possible.
  • Content Spoofing without embedded links/HTML.
  • Reflected File Download (RFD).
  • Mixed HTTP Content.
  • HTTPS Mixed Content Scripts.
  • Any DoS/DDoS issues.

Out-of-scope — Mobile

  • Attacks that require physical access to the users’ device.
  • Vulnerabilities that require extensive user interaction.
  • Exposure of non-sensitive data on the device.
  • Reports from static analysis of binary code without proof of concept that affects business logic.
  • Lack of obfuscation/binary protection/root (jailbreak) detection.
  • Bypass certificate pinning on rooted devices.
  • Lack of exploit mitigations, i.e., PIE, ARC, or Stack Canaries.
  • Sensitive data in URLs/request bodies when protected by TLS.
  • Path disclosure in the binary.
  • OAuth & app secret hard-coded/recoverable in IPA, APK.
  • Sensitive information retained as plaintext in the device’s memory.
  • Crashes due to malformed URL schemes or intents sent to the exported activity/service/broadcast receiver (exploiting these for sensitive data leakage is common scope).
  • Any type of sensitive data stored in the private directory of the application.
  • Runtime hacking exploits using tools like, but not limited to, Frida/Appmon (exploits only possible in a jailbroken environment).

In-scope

  • https://cryptorank.io/ — Web
  • https://play.google.com/store/apps/details?id=com.cryptorank — Android App
  • https://apps.apple.com/us/app/cryptorank-tracker-portfolio/id1609951971 — iOS App

Out-of-scope

Guide 📚

To participate, simply sign up for a free account on Crew3 and start exploring CryptoRank.io. If you find any bugs, report them to us through the Crew3 platform, and we’ll take care of the rest. CryptoRank team reserves 7 days to make a decision on a bug report. Our bug bounty program is open to everyone, so don’t hesitate to join us!

Crew3 👉 https://crew3.xyz/c/cryptorank/

Have any questions or feedback? We’d love to hear from you! Let us know what you think in our Telegram Community Chat and Twitter.