Details

Anome Bug Bounty Program

Anome is a groundbreaking platform for refundable asset issuance, gaming, and lending.

Project Overview

Anome is a NFT derivative issuance and lending platform that is firstly applied in fully on-chain gaming scenarios.

Rewards

Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Anome, quality, creativity, or novelty of submissions may modify payouts within a given range.

In case of multiple reports about the same issue, Anome will reward the earliest submission, regardless of how the issue was reported.

CVSS standards will be used for vulnerability rating (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).

Websites and Applications

Severity	Description	Reward
Critical	Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities.	2,000 ~ 10,000 USDC
High	High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities.	1,000 ~ 2,000 USDC
Medium	Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities.	500 ~ 1,000 USDC
Low	Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed.	100 ~ 500 USDC

Scopes

In Scope

Target	Scope
Websites and applications	*.anome.xyz

Out Of Scope

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration
Attacks requiring physical access to the victim device
Attacks requiring access to the local network of the victim
Reflected plain text injection ex: url parameters, path, etc. (This does not exclude reflected HTML injection with or without javascript. This does not exclude persistent plain text injection)
Self-XSS
Captcha bypass using OCR without impact demonstration
CSRF with no state modifying security impact
Missing HTTP Security Headers or cookie security flags without demonstration of impact
Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
Vulnerabilities used only to enumerate or confirm the existence of users or tenants
Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
Lack of SSL/TLS best practices
DDoS vulnerabilities
Feature requests
Issues related to the frontend without concrete impact and PoC
Best practices issues without concrete impact and PoC
Vulnerabilities primarily caused by browser/plugin defects
Leakage of non sensitive api keys
Any vulnerability exploit requiring browser bugs for exploitation
Attacks requiring privileged access from within the organization
Issues related to scene code itself
Scenes deployed by users using malicious code that requires users to download or interact with it
Any vulnerability that requires the user to input commands in the browser console

Reporting Rules

Rewards or recognition require that the Anome security team can reproduce and verify an issue and that the security impact is clear;
Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;
Do not conduct social engineering and phishing to people;
Do not leak the details of the vulnerability;
Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;
Vulnerability testing is only limited to PoC (proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.

Rewards

In case of multiple reports about the same issue, Anome will reward the earliest submission, regardless of how the issue was reported.

Websites and Applications

Severity	Description	Reward
Critical	Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities.	2,000 ~ 10,000 USDC
High	High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities.	1,000 ~ 2,000 USDC
Medium	Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities.	500 ~ 1,000 USDC
Low	Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed.	100 ~ 500 USDC

Scopes

In Scope

Target	Scope
Websites and applications	*.anome.xyz

Out Of Scope

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration

Attacks requiring physical access to the victim device

Attacks requiring access to the local network of the victim

Reflected plain text injection ex: url parameters, path, etc. (This does not exclude reflected HTML injection with or without javascript. This does not exclude persistent plain text injection)

Self-XSS

Captcha bypass using OCR without impact demonstration

CSRF with no state modifying security impact

Missing HTTP Security Headers or cookie security flags without demonstration of impact

Server-side non-confidential information disclosure such as IPs, server names, and most stack traces

Vulnerabilities used only to enumerate or confirm the existence of users or tenants

Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

Lack of SSL/TLS best practices

DDoS vulnerabilities

Feature requests

Issues related to the frontend without concrete impact and PoC

Best practices issues without concrete impact and PoC

Vulnerabilities primarily caused by browser/plugin defects

Leakage of non sensitive api keys

Any vulnerability exploit requiring browser bugs for exploitation

Attacks requiring privileged access from within the organization

Issues related to scene code itself

Scenes deployed by users using malicious code that requires users to download or interact with it

Any vulnerability that requires the user to input commands in the browser console

Reporting Rules

Rewards or recognition require that the Anome security team can reproduce and verify an issue and that the security impact is clear;

Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;

Do not conduct social engineering and phishing to people;

Do not leak the details of the vulnerability;

Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;

Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;

Vulnerability testing is only limited to PoC (proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.