Policy

SpankChain recognizes the vital role that independent security researchers and our user community provide in keeping our user base safe and secure.  If you discover a vulnerability in any of SpankChain’s products please follow the steps outlined below to bring it to our attention.


Terms

Participating in SpankChain’s Bug Bounty Program is voluntary and subject to the following set of terms and conditions (in additional to our standard user agreement).  By submitting a Bug Bounty vulnerability you acknowledge you have read and agreed to the Bug Bounty Policy terms.


To participate in the program, you must disclose the bug directly to, and only with, SpankChain via our support@spankchain.com email.  Public disclosure of the vulnerability without giving us adequate time to triage, patch, and QA will revoke your right to participate in current and future bug bounties.


Scope

Bounties are subjectively determined by SpankChain, using a combination of factors.  These include but are not limited to:

  1. Risk of vulnerability being exploited
  2. Scale of effected users
  3. Current mitigations in place and future mitigations in development

Generally In-Scope Vulnerabilities

  • Vulnerabilities affecting access or allowing unauthorized access
  • Bugs regarding payments/fees/conversion rates
  • User privacy concerns

Generally Out-of-Scope Vulnerabilities

  • Inherent vulnerabilities that cannot be resolved without breaking the full functionality of the site(s)
  • Vulnerabilities that require a user be physically compromised

If you find an out of scope vulnerability, we are still interested in hearing about it, but if a payout is provided it would be with a heavily reduced payout compared to an in scope issue.


Bug Submission Requirements

To submit a bug report please provide any and all of following relevant information to support@spankchain.com. Failure to provide all the requested information can delay your report from being triaged, and/or may result in the report bug bounty being forfeited.

  • Full description of the vulnerability being reported, including the exploitability and impact
  • Evidence and explanation of all steps required to reproduce the submission, which may include:
  • Videos
  • Screenshots
  • Exploit code
  • Traffic logs
  • Web/API requests and responses
  • Email address or user ID of any test accounts
  • IP address used during testing

More advanced bug reports should also provide the following information:

  • Source IP address
  • Timestamp, including time zone
  • Full server request and responses
  • Filenames of any uploaded files, which must include “bugbounty” and the timestamp
  • Callback IP and port, if applicable
  • Any data that was accessed, either deliberately or inadvertently

Allowed Actions:

  • Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
  • Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

  • Uploading files that allow arbitrary commands (i.e. a webshell)
  • Modifying any files or data, including permissions
  • Deleting any files or data
  • Interrupting normal operations (e.g. triggering a reboot)
  • Creating and maintaining a persistent connection to the server
  • Intentionally viewing any files or data beyond what is needed to prove the vulnerability
  • Failing to disclose any actions taken or applicable required information


Bounty Payments

To receive a bounty payment you must meet the following criteria

  1. You are the first person to submit a report on the vulnerability.
  2. The vulnerability has been reviewed by SpankChain and deemed a valid concern.
  3. You follow all the terms outlined in the Bug Bounty Program Terms.

Once a payout has been determined, we will send you money via ETH to an external wallet.  This is the only payout option available.


The payout for each bounty is completely at SpankChain’s discretion as SpankChain is under no obligation to pay for any submitted bounties, and all bounty payments are to be considered gratuitous.


You are personally responsible for any tax implications related to being paid for a bounty.  Please be sure to follow your local rules and regulations.

SpankChain values each report based on a combination of factors such as risk and impact.  The smallest bounty we pay is $50 USD (via ETH).

All decisions regarding bug bounty eligibility and payouts are final.


Timeline

First response: within 3 days

Triage: Within 2 weeks of response

Bounty Decision: Within 2 weeks of triage date

Bounty Payout: Within 1 week of bounty decision


Confidentiality

Any information you receive or collect about SpankChain or any SpankChain user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the SpankChain’s sites, without SpankChains’s prior written consent.


Changes to Bug Bounty Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by SpankChain at any time, without notice. As such, SpankChain may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after SpankChain posts any such changes, you accept the Program Terms, as modified.