Blockscout
SupportWebsiteGithubDiscord
  • Blockscout Open-Source Explorer
  • 💡About BlockScout
    • Features
      • Ethereum Bytecode Database Microservice
      • Blockscout Redesign
    • Chains Using Blockscout
    • Partners & Integrations
      • RaaS Providers
      • Vera: Verifier Alliance
        • Adding your chain to the Vera database
        • Programmatic verification via the API
    • News & Media
      • Newsletter & Blog
    • Funding
      • L2 Funding Proposal
        • Aux Funding Images
    • Roadmap
  • 🙎Using Blockscout
    • Getting Started
      • Glossary of Terms
      • Main Menu
      • Blocks
      • Transaction Types
      • Beacon Chain Withdrawal Views
    • My Account
      • Watch list
      • Private tags
      • Public tags
      • API keys
      • Custom ABI
      • Verified addresses
        • Copy and Sign Message
      • For developers
    • Dappscout Apps Marketplace
      • DApp Integration
    • Swapscout
      • Earn Merits when using Swapscout
    • Revokescout
    • Autoscout Explorer Launchpad
    • CSV Exports
    • Token Support
      • ERC-1155 Support
    • Merits
      • Streak rewards
      • Activity Pass
      • Leaderboard
      • Badges
      • FAQs
  • 👩‍💻Developer Support
    • For Web3 Developers
    • Link to Blockscout
    • Blockscout APIs
      • Requests & Limits
      • REST API Endpoints
        • Stats API
        • Interpreter API
      • JSON RPC & ETH Compatible RPC Endpoints
        • Account
        • Block
        • Contract
        • Logs
        • Stats
        • Token
        • Transaction
        • ETH RPC API
      • GraphQL in Blockscout
    • Smart Contract Verification
      • Blockscout UI
      • Blockscout smart-contract verification API
      • Hardhat Verification Plugin
        • Sourcify Plugin for Hardhat
      • Foundry Verification
      • Sourcify Verification
      • OpenZeppelin Contract Verification
      • Automate verifications with Catapulta
      • Verification via thirdweb
      • Interacting with Smart Contracts
    • Blockscout SDK
    • Integrate Merits
    • Chainscout chains list
  • 🏃‍♂️Setup and Run Blockscout
    • General Overview
      • Separate Indexer, Web App, and API
      • Umbrella Project Organization
      • Indexer Architecture Overview
      • ShareLock
      • EVM Version Information
    • Requirements
      • General Backend Requirements / Blockscout Backend Prerequisites
      • Backend/Frontend Compatibility Matrix
      • Hardware & Hosting Requirements
      • Database Storage Requirements
      • Client Setting Requirements
      • Node Tracing / JSON RPC Requirements
      • L2 -> L1 JSON-RPC Method Requests
    • ☑️ENV Variables
      • Backend ENVs: Common
      • Backend ENVs: Chain-Specific
      • Backend ENVs: Integrations
      • Frontend ENVs: Common
        • ENVs
        • Deprecated ENVs
      • Deprecated Backend ENVs
        • Previous ENV Variable Home Page
    • Deployment
      • ⭐Manual Deployment Guide
        • Ubuntu Setup
        • MacOS setup
      • ⭐Docker-compose Deployment
      • ⭐Kubernetes Deployment
      • Rollup Deployment
      • 🌟Cosmos-based chains
      • 🍀Upgrade Guide (v7.0 & v8.0)
      • Frontend Migration
        • All-In-One Container
        • Separate Frontend
        • Customized Backend
        • Proxy Setup
        • FAQs
      • Manual Deployment (backend + old UI)
        • Manual cleaning an instance from the previous deployment
      • Terraform Deployment
      • Ansible Deployment (AWS Cloud)
        • Overview
        • Prerequisites
        • AWS Permissions & Settings
          • Creating a Secret Key Pair
          • Login with AWS CLI
          • Creating an AWS certificate for SSL
          • Manually Cleaning Terraform Related Instances
        • Variables
        • Deploying the Blockscout Infrastructure
        • Deploying Blockscout
        • Destroying Provisioned Infrastructure
        • Common Additional Tasks
        • Common Errors and Questions
        • AWS Marketplace (deprecated)
          • Overview
          • CloudFormation Template
          • Prerequisites & Install Parameters
          • Install from AWS Marketplace
          • AWS EC2 archive node setup with OpenEthereum (formerly Parity)
          • Updating & Redeploying in AWS
          • Customizing CSS
    • Microservices
      • Blockscout ENS (BENS) Name Service Integration
      • Smart Contract Verification
    • Configuration Options
      • Admin Panel Usage
      • Automating Restarts
      • Branding Configs
      • Circle CI Updates
      • Charts and Stats
      • CSS Configuration & Presets
      • Exchange Rates
      • Front-end Config Files
      • haproxy Settings for Blockscout.com
      • Internationalization
      • Logger Configs
      • Memory Usage
      • Metrics
      • My Account Settings
      • Sorting and Pagination
      • Tracing
      • Reown Project ID for contract Read/Write
    • Indexing
      • How do I fix indexer timeouts?
      • How do I update memory consumption to fix indexer memory errors?
    • Testing
    • DB schema
  • FAQs
    • User FAQs
    • Developer FAQs
  • 🧩Resources
    • EaaS: Hosting with Blockscout
    • Contributing to Blockscout
    • Bug Bounty Program
    • Media kit
    • Release Notes
      • v5.3.0: 10/23/23
      • v5.2.0: 6/20/23
      • v5.1.0: 2/13/23
      • v5.0.0: 1/11/23
    • Discord Channel
    • Discussion
    • GitHub Repo
Powered by GitBook
LogoLogo

Privacy and Terms

  • Privacy Notice
  • Terms and Conditions

Copyright © Blockscout Limited 2023-2024

On this page
  • How to report a security vulnerability
  • Rewards
  • Risk Levels
  • Bounty Considerations
  • Out of Scope Items
  • 🏛 Security Hall of Fame

Was this helpful?

Export as PDF
  1. Resources

Bug Bounty Program

Last updated 4 months ago

Was this helpful?

Welcome to the Bug Bounty Program at Blockscout! Ensuring the safety of our platform is a top priority, and we greatly appreciate the crucial role security researchers play in contributing to open source. Should you identify a possible security vulnerability within our platform, we invite you to join our bug bounty program and share your findings.

How to report a security vulnerability

Send us an email with the information below. We ask that you please keep your findings confidential during the reporting process. We will get back to you with our diagnosis or additional comments/questions as required. We may patch the vulnerability prior to our response to you, and will determine the risk level and possible payout on a case-by-case basis.

  1. Description of the bug/vulnerability

    Clearly describe the vulnerability you've discovered.

  2. Steps to reproduce Outline the steps needed to replicate the vulnerability.

  3. Impact analysis

    Assess the potential impact of the vulnerability on users, developers, and the organization.

  4. Code fix (optional) If possible and appropriate, you may include a suggested code fix for the vulnerability.

  5. Type of vulnerability

    Choose a label that best fits the category of the bug for classification purposes. This aids in rewards distribution and participation.

  6. Additional Context

    Provide any additional information that could help in understanding and resolving the issue.

  7. Email your report Email your report to

Information is also available on the .

Rewards

Risk Levels

  1. Critical Risk: $1000 to $4000 in crypto equivalent based on severity.

  2. High Risk: Up to $500 in crypto equivalent.

  3. Moderate Risk: Up to $250 in crypto equivalent.

  4. Low Risk: Up to $100 in crypto equivalent.

Security issue submission does not automatically qualify you for a bounty reward. Final determinations regarding risk severity, reward amounts, and payment schedules are made exclusively by the Blockscout team. For vulnerabilities found across multiple explorers, rewards are only issued for the first reported instance. Please review the general guidelines below for more information about our evaluation process.

Bounty Considerations

Vulnerabilities in the following areas are eligible for bounty consideration.

  • Business logic bugs or problems

  • Remote code execution (RCE)

  • Database vulnerability, SQLi

  • File inclusions (Local & Remote)

  • Access Control Issues (IDOR, Privilege Escalation, etc)

  • Sensitive information leaks

  • Server-Side Request Forgery (SSRF)

  • Other vulnerability with a clear potential loss

Out of Scope Items

Unless presenting a serious business risk (at our discretion), the following are typically not eligible for rewards:

  • Minor visual bugs, spelling errors, etc.

  • Social engineering tactics (e.g., phishing)

  • Issues in applications or systems not listed in the scope

  • UI/UX bugs, data entry errors, and typos

  • Network level Denial of Service (DoS/DDoS) vulnerabilities

  • Certificate/TLS/SSL issues

  • DNS configuration problems

  • Server configuration issues (open ports, TLS configurations, etc.)

  • Spam or social engineering techniques

  • Security flaws in third-party apps or services

  • Non-impactful XSS exploits

  • CSRF-XSS issues related to login/logout

  • Issues related to https/ssl or server-info disclosure

  • Mixed Content Scripts

  • Brute Force attacks

  • General best practices concerns

  • Recently disclosed 0day vulnerabilities

  • Username/email enumeration via error messages

  • Missing HTTP security headers

  • Weak password policies

  • HTML injection

🏛 Security Hall of Fame

Thank you for your help keeping vital public infrastructure like block explorers safe and secure!

If you are the first person to report the issue and we make a code or configuration change based on your findings, we will reward you with a bounty and mention (at your discretion) in our !

blackgrease:

🧩
security@blockscout.com
SECURITY page of our Github Repo
https://github.com/blackgrease
🏛 Security Hall of Fame