ETH Price: $2,906.72 (-3.46%)
Gas: 25 Gwei

Bug Bounty Program

  1. Guidelines

    We ask that all researchers:

    • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
    • Use the identified communication channels to report vulnerability information to us
    • Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Etherscan until we’ve resolve the issue
    • Provide us with at least 7 working days to investigate the issue and revert back to you

  2. If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:

    • Recognize your contribution on Etherscan.io (list below for the last 50 contributors)
    • Reward you with a bounty (up to a maximum of $2500 paid out per month):
      1. $1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk *
      2. $500 in crypto equivalent if you identified a vulnerability that presented a high risk *
      3. $250 in crypto equivalent if you identified a vulnerability that presented a moderate risk *
      4. $0 in crypto equivalent if you identified a vulnerability that presented a low risk *
      5. Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless
    Researcher will provide us with a wallet address based on the reported explorer for the payout within 7 days after we have resolved the issue.
    * vulnerability level will be determined at our discretion
    ** in the event the vulnerabilty exists in multiple explorers, only the reported explorer is entitled to the rewards

  3. Scope

    Etherscan (etherscan.io) and explorers under EaaS (https://etherscan.io/eaas)

    We are interested in the following vulnerabilities:

    • Business logic issues
    • Remote code execution (RCE)
    • Database vulnerability, SQLi
    • File inclusions (Local & Remote)
    • Access Control Issues (IDOR, Privilege Escalation, etc)
    • Leakage of sensitive information
    • Server-Side Request Forgery (SSRF)
    • Other vulnerability with a clear potential loss

  4. Out of scope

    Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold

    • Visual typos, spelling mistakes, etc
    • Findings derived primarily from social engineering (e.g. phishing, etc)
    • Findings from applications or systems not listed in the ‘Scope’ section
    • UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
    • Network level Denial of Service (DoS/DDoS) vulnerabilities
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. MX records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
    • Spam or Social Engineering techniques
    • Security bugs in third-party applications or services
    • XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
    • Login/Logout CSRF-XSS
    • https/ssl or server-info disclosure related issues
    • https Mixed Content Scripts
    • Brute Force attacks
    • Best practices concerns
    • Recently (less than 30 days) disclosed 0day vulnerabilities
    • Username/email enumeration via Login/Forgot Password Page error messages
    • Missing HTTP security headers
    • Weak password policy
    • HTML injection

  5. How to Report a Security Vulnerability

    • Description of the location and potential impact of the vulnerability
    • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
    • Your name/handle and a link for recognition in our Hall of Fame (twitter, reddit, facebook, hackerone, etc)
    • List down the affected explorer(s)
    • Email us at [Bug Bounty Report]

HALL OF FAME

Special thanks to the following researchers for helping us make Etherscan and other explorers a better place