Worthpad recognizes the value external security researchers can bring to the security of Worthpad systems, and we welcome and seek to reward eligible contributions from security researchers, as outlined below.
If you believe you have found a security vulnerability on Worthpad (or another member of the Worthpad IDO Launchpad), we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines, and scope of the program.
Bug Bounty Program Processes
We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at Worthpad’s discretion, based on risk, impact, and other factors. To be considered for a bounty, you must meet the following requirements:
- Adhere to our Responsible Research and Disclosure Policy.
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security risk. (Note that Worthpad ultimately determines the risk of an issue, and that many software bugs are not security issues.)
- Report the vulnerability upon discovery or as soon as is feasible.
- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Report a security bug involving one of the products or services that are within the scope of the program. We specifically exclude certain types of potential security issues, listed under “Out of Scope” and “False Positives”.
- Submit your report via our “Report a Security Vulnerability” form (one issue per report) and respond to any follow-up requests from our staff for updates or further information. Please do not contact our staff directly or through other channels about a report.
- Before engaging in any action which may be inconsistent with or unaddressed by these terms of service, contact us for clarification by submitting a new submission with your question.
- Refrain from using any brute-forcing or dynamic scanning tools that will cause harm to Worthpad. DoS and brute-forcing our endpoints are out of scope.
In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
- We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $500 worth $WORTH tokens. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
- We will generally pay lower reward amounts for in-scope vulnerabilities that are only exploitable through outdated versions of non-Worthpad developed software (e.g., a web browser), but we will still consider such reports.
- We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Worthpad determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
- We reserve the right to publish reports (and accompanying updates).
- We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation on the list is then optional. We reserve the right to limit or modify the information accompanying your name in the list.
From time to time, Worthpad may offer promotions in connection with the Bug Bounty Program. To be eligible for such a promotion, a report may need to comply with additional rules governing the promotion, which are or will be made available.
We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
Qualifying individuals who submit a valid report to Worthpad that results in a payout according to these Terms will automatically be enrolled in our Elite Hacker Rewards Program for the opportunity to gain league status within the Program and receive rewards, subject to verification and in accordance with the league in which they have qualified. There is no purchase necessary to participate in this Program and a purchase will not increase your chances of receiving a reward.
Out of Scope
- Spam or social engineering techniques.
- Denial-of-service attacks.
- Content injection. Posting content on Worthpad is a core feature, and content injection (also “content spoofing” or “HTML injection”) is out of scope unless you can clearly demonstrate a significant risk.
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Attempting to compromise our endpoints by brute forcing.
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Open redirect — unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
This is a once in a lifetime opportunity. Don’t miss it!
For more information about Worthpad and how to be a part of the revolution that will shape the global crypto space, visit the Worthpad Website.