Blockchain.com Bug Bounty Program

Welcome to the Blockchain.com Bug Bounty Program!

As a pioneer in the cryptocurrency space, Blockchain.com has been at the forefront of developing crucial infrastructure for the Bitcoin community. We started with the Blockchain Explorer, empowering users to examine transactions and understand the blockchain, and an API that enabled businesses to build on Bitcoin. Furthermore, we provide a widely popular and user-friendly crypto wallet, allowing individuals globally to securely manage their own digital assets.

Thank you for your interest in helping us enhance the security of our platform! Your contributions are highly valued.

Getting Started

If you are new to Blockchain.com, we strongly encourage you to review our Security Learning Portal to familiarise yourself with our products and their security considerations before submitting any reports.

Ratings/Rewards

For the initial prioritization/rating of findings, this engagement will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Structure

In Scope Targets

Testing is only authorized on the targets listed as in scope. Any domain/property of Blockchain.com not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Blockchain.com, you can report it to this engagement. However, be aware that it is ineligible for rewards or points-based compensation.

Credentials

To gain access to the application, please sign up for an account using your @bugcrowdninja.com email address. You may register for accounts at the signup page.

Access/Traffic Identification

Please add the following header to your HTTP traffic to prevent interruptions and verify non-malicious behavior:

X-Bug-Bounty:<bugcrowdusername>

Excluded Submission Types

• P5 vulnerabilities
• Availability/volumetric testing including:
  • DoS/DDoS/Network DoS
  • Rate limiting bypass attempts
  • Email bombing flooding

N-day/Third Party 0-day Policy

• When N-Day bugs are released to the public, we will consider these as in scope after 14 days has gone by
• Example: N-day released on 01/01/2025, we would consider it in-scope on 01/15/2025

Out of Scope

• Registering multiple wallet accounts with the same email address is an intended feature.
• Interacting or manipulating other stakeholders and their associated accounts including:
  • Social engineering attacks
  • Phishing attacks
  • Physical attacks

Potential post-exploitation scenarios: If you believe you've identified a vulnerability that may lead to post-exploitation activity including modification or destruction of data please stop testing and submit your finding. We will work with you to evaluate the vulnerability and award you accordingly for the final impact and severity.

Third Party Providers and Services

Web applications operated by third parties are only considered in scope under the following ways:

• Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
• Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.

The following assets represent third-party applications, along with their vendors to report issues to:

• email-clicks.blockchain.com (SendGrid)
• support.blockchain.com (ZenDesk)
• blog.blockchain.com (Medium)
• docs.blockchain.com (GitBook)

Leaked Credentials

If you happen to identify vulnerabilities involving data that has been exposed or leaked such as dark web forums or leaked credential sites, you can report it to this engagement. However, be aware that it is only eligible for points-based compensation. This policy helps maintain the highest standard of operational confidentiality, integrity, and compliance.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire through the Bugcrowd Support Portal before going any further.

Disclosure Terms

This engagement follows Bugcrowd's standard disclosure terms. Vulnerabilities found in this engagement require explicit permission by selecting the disclosure request option on your submission. For more information please review the Public Disclosure Policy.