#Fireblocks General Bug Bounty Program
This program is for the disclosure of software security vulnerabilities only.
This policy governs the Fireblocks General Bug Bounty Program, subject to the scope described herein (the “Program”).
Note: Fireblocks have additional specific bug bounty programs, such as the MPC-CMP Bug Bounty Program, which shall be governed by their own separate policies.
#Introduction
Fireblocks acknowledges the crucial role played by security researchers in ensuring the safety of our community. We actively encourage the responsible disclosure of security vulnerabilities through this Program, which aligns with our core values and mission of enabling secure digital asset operations.
With the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and other blockchains, as well as the protocol for EdDSA.
To qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.
Response Targets
Fireblocks will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 2 days |
| Time to Triage | 10 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
#Registration/Test plan
To register to the Fireblocks console, you may use the following link - https://info.fireblocks.com/fireblocks-developer-account
In order to register and for internal statistics purposes, please use your HackerOne alias email - [email protected] (use your personal H1 name), to receive further set-up instructions. The registration will not work with an email other than @wearehackerone.com
#Program Rules
- Make a good faith effort to avoid privacy violations, destruction of data, interruption, or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.
- Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
- When reporting vulnerabilities, please consider (1) the attack scenario/exploitability and (2) the security impact of the bug.
- When testing, please include the identifier "h1-" in any payload you use. This will help us differentiate between legitimate and malicious traffic.
- By submitting a report, you agree to be bound by these rules.
#Disclosure Policy
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
#Report Evaluation
In order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. A report must be a valid, in-scope report to qualify for a bounty.
If the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.
Awards bounties are based on the severity of the vulnerability.
For your reported vulnerability to be eligible, you must:
- Discover a previously unreported, non-public vulnerability
- Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.
- Submit a vulnerability on an issue that was not already rewarded under this Program.
| Vulnerability Tier | Reward |
|---|
| Critical | Up to 12000$ |
| High | Up to 9000$ |
| Medium | Up to 1500$ |
| Low | Up to 300$ |
The rewards listed next to each tier are maximum bounties for each tier. The vulnerability tier is subject to Fireblocks’ determination at its sole discretion. The specific amount of the reward will vary according to, at Fireblocks’ sole discretion:
- The impact of the bug.
- The cause of the bug.
- Whether or not the report submitted suggests a solution to the bug or helps in its resolution.
- The process through which the bug was discovered.
Report Closure
Fireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated, the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid, or informative will be closed.
PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, reports disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.
Scope
- The following qualifying vulnerabilities listed below are eligible for this Program (the “Scope”).
- Only an issue identified within the Scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.
Qualifying Vulnerabilities
- Performing unauthorized actions with an emphasis on unauthorized funds transfer
- Disclosure of sensitive or personally identifiable information
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
- Server-side or remote code execution (RCE)
- Authentication or authorization flaws, including insecure direct object references and authentication bypass
- Injection vulnerabilities, including SQL and XML injection
- Directory traversal
- Significant security misconfiguration with a verifiable vulnerability
Out-of-scope vulnerabilities
- The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Software version disclosure / Banner identification issues Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- OAuth 2.0 implicit grant flow
Participation Eligibility
Please review the following participation eligibility criteria before participating in the Program:
- Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program
- Participants who are residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program
- Fireblocks employees, family members of a Fireblocks employee, Fireblocks contractors, Fireblocks partners, or Fireblocks service providers are prohibited from participating in this Program
- All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards
Disclaimer
**We reserve the right to modify the Program or cancel it at any time.
Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity. **
Thank you for helping keep Fireblocks and our users safe!
