InitVerse Bug Bounty Program
Project Overview
InitVerse is dedicated to building enterprise-grade infrastructure for the Web3 ecosystem, led by INIChain, which integrates innovative TfhEVM and DDA Mechanism technologies to enhance blockchain performance, privacy, and resource efficiency.
With INIChain as its foundation, InitVerse's SaaS Builder simplifies DApp creation and deployment, empowering developers and enterprises to focus on growth. The ecosystem also includes tools like Clown Wallet and Obs Swap, delivering comprehensive support for users and developers alike. InitVerse drives blockchain innovation while creating convenience and value across the Web3 space.
Rewards
Rewards will be provided according to the rules of this bug bounty program as outlined below. At the discretion of USDX, quality, creativity, or novelty of submissions may modify payouts within a given range.
In case of multiple reports about the same issue, USDX will reward the earliest submission, regardless of how the issue was reported.
CVSS standards will be used for vulnerability rating (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).
Blockchain & Smart Contracts
| Severity | Description | Reward |
|---|
| Critical | Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. | 2,000 ~ 20,000 USDC |
| High | High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. | 1,000 ~ 2,000 USDC |
| Medium | Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. | 200 ~ 1,000 USDC |
| Low | Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. | 50 ~ 200 USDC |
Websites and Applications
| Severity | Description | Reward |
|---|
| Critical | Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. | 1,000 ~ 2,000 USDC |
| High | High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. | 500 ~ 1,000 USDC |
| Medium | Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. | 100 ~ 500 USDC |
| Low | Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. | 50 ~ 100 USDC |
Scopes
In Scope
Out Of Scope
Smart Contracts and Blockchain
The program does not cover smart contract vulnerabilities, including but not limited to:
- Errors from third-party oracles, except for cases where a code vulnerability allows oracle manipulation.
- Flash Loan Attacks, including but not limited to manipulating markets, governance, and oracle prices via flash loans.
- Economic Attacks, such as 51% attacks, governance attacks, and miner extractable value (MEV)-related exploits.
- Vulnerabilities in third-party bridge contracts—if the vulnerability originates from a third-party bridge contract and not from InitVerse's code, it is not eligible for rewards.
- Liquidity Issues—token price volatility due to market fluctuations or liquidity provider withdrawals is excluded.
- Best Practice Recommendations, such as code style, performance optimization, and gas fee improvements, do not qualify as security vulnerabilities.
- Sybil Attacks, where multiple accounts are used to manipulate identity or voting rights.
- Centralization Risks, arising from operational or management mechanisms that may lead to centralization.
Websites and Apps
The following types of issues are not eligible for rewards:
- Theoretical vulnerabilities that lack a valid exploitation path or demonstrable attack impact.
- Attacks requiring physical access to the target device.
- Attacks requiring access to the victim's local network.
- Reflected Plain Text Injection (e.g., URL parameters, paths) unless leading to reflected HTML injection.
- Self-Executed XSS—cross-site scripting vulnerabilities that require the user to execute scripts themselves.
- OCR-based CAPTCHA bypass—unless accompanied by a clear demonstration of security impact.
- Stateless CSRF (Cross-Site Request Forgery).
- Missing HTTP security headers or cookie security flags unless an actual security risk is demonstrated.
- Non-sensitive server information leaks, such as IP addresses, server names, or generic error messages (e.g., stack traces).
- Vulnerabilities used solely for enumeration or user existence confirmation.
- Issues requiring the user to perform abnormal actions within the application to trigger a vulnerability.
- Improper SSL/TLS configuration unless it poses a real security threat.
- DDoS-related vulnerabilities, including but not limited to application-layer and network-layer denial-of-service attacks.
- Feature requests or functional suggestions.
- Frontend-only issues that lack a tangible impact or proof of concept (PoC).
- Best practice recommendations related to security strategies, code optimization, or general improvements without a concrete security flaw.
- Browser/plugin-specific vulnerabilities.
- Non-sensitive API key exposure.
- Attacks that depend on browser vulnerabilities.
- Attacks requiring privileged internal access to an organization's network.
- Scene Code-related issues.
- Malicious Scene Code deployment, where attackers trick users into downloading or interacting with harmful scripts.
- Attacks requiring users to manually enter commands in the browser console.
Network Layer
- Network Denial-of-Service (DoS/DDoS) Attacks, such as:
- Transaction spamming to overload gas limits.
- P2P network flooding to exhaust node resources.
- Gossip protocol abuse leading to excessive CPU consumption.
- HTTP API abuse causing node crashes, memory overflows (OOM), or disk exhaustion.
- Consensus Liveness Attacks, including:
- BGP Hijacking, which disrupts network connectivity.
- P2P DoS Attacks, such as using botnets for SYN flooding on specific nodes.
- Misconfigurations in AvalancheGo nodes, unless the issue stems from InitVerse's codebase.
- Node failures due to disk malfunctions.
- Unexpected behavior caused by incorrect node configurations.
- Errors resulting from unsupported hardware or operating systems.
- NAT traversal failures due to specific router hardware limitations.
Publicly Disclosed Vulnerabilities
The following are considered out of scope:
- Any vulnerabilities that have been publicly disclosed, whether related to InitVerse's codebase or external repositories.
- Publicly disclosed vulnerabilities in dependencies, i.e., vulnerabilities in external libraries that InitVerse relies on.
- Ethereum client vulnerabilities, such as those affecting Geth, Nethermind, Besu, or Erigon.
- Coreth/Subnet-EVM vulnerabilities, including:
- Issues in go-ethereum that are not specific to InitVerse.
- Vulnerabilities in Subnet-EVM affecting Coreth, or vice versa.
Reporting Rules
To qualify for a reward or recognition, vulnerability reports must meet the following criteria:
- The vulnerability must be reproducible, and the InitVerse security team must be able to verify its security impact.
- Reports must include clear reproduction steps, such as screenshots, videos, or scripts.
- Social engineering and phishing attacks are strictly prohibited.
- Vulnerability details must remain confidential until officially fixed; public disclosure before remediation is forbidden.
- Automated scanning tools must not be used for large-scale testing. If such tools cause service disruptions, legal action may be taken.
- When conducting security tests, avoid the following actions:
- Modifying page content.
- Continuously triggering pop-ups (for XSS, use logging methods instead).
- Stealing cookies or executing other sensitive operations.
- Using aggressive payloads (e.g., Blind XSS) without proper precautions, such as testing via DNS logs.
- Vulnerability testing is only limited to PoC (proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Sensitive operations performed in the test, such as deletion and modification, are required to be explained in the report.
This program is designed to enhance security responsibly, and all participants must adhere to these rules to ensure ethical vulnerability reporting.
