Tools For Humanity (TFH) is proud to collaborate with the vibrant community of independent security research to secure our platform and our users. To recognize your efforts and the role you play in enhancing the security of TFH and the World ecosystem, we have established this bug bounty program in partnership with HackerOne. Please make sure you review and understand this Policy before submitting a report. If you have any questions or need clarification, please don't hesitate to reach out. By participating in this program, you agree to adhere to this Policy as well as HackerOne’s policies, such as their Code of Conduct.

Response Targets

TFH will make a best effort to meet the following SLAs for hackers participating in our program:

The only appropriate place to inquire about a submitted report’s status is HackerOne. Please refrain from submitting your report or inquiring about its status through additional channels, as this unnecessarily binds our security team’s resources.We will try to keep you informed about our progress throughout the process.

Rules

By submitting reports or otherwise participating in this program, you agree that you have read, understand, and will follow the Rules and Legal Terms sections of this program Policy. Violation of any of these rules can result in ineligibility for a reward and/or removal from the program.

As a participant in our bug bounty program you must:

• Respect the privacy of our users, avoid data destruction and avoid engaging in interruption or degradation of our service.
• Only engage only with accounts you own or for which you have explicit permission from the account holder.

The following issues or actions are not allowed in our bug bounty program:

• Social engineering (e.g., phishing, vishing, smishing)
• Denial-of-service attacks
• Any activity that could lead to the disruption of our service (DoS) or the sites of our third-party software and services (marketing services, third-party mail services, developer/support installations etc.)
• Any attempts to exploit or compromise the physical security of our infrastructure or facilities. If you become aware of a vulnerability that affects the Orb, please report directly to us through this platform.
• Testing against any third party hosted services on subdomains owned by TFH or Worldcoin Foundation.

Behave professionally. Failure to follow HackerOne's policies, such as the Code of Conduct, may result in the report being ineligible for a reward at TFH sole discretion, in addition to any enforcement action HackerOne may decide to take.

Ineligible vulnerability types

When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. Below, you will find the most common false positives we encounter. The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact.

• Clickjacking on pages with no sensitive actions
• DoS and DDoS vulnerabilities with an exception to issues affecting World Chain
• Unconfirmed reports from automated vulnerability scanners
• Broken link hijacking
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working proof of concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Content spoofing and text injection issues
• Most issues related to rate limiting and brute force behaviors
• Denial-of-service attacks
• Missing best practices in security policies
• Missing HTTPOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
• Vulnerability reports that reference zero-day exploits or CVEs that are less than 3 months old will be awarded on a case-by-case basis
• Tabnabbing
• Open redirect (unless an additional security impact can be demonstrated)
• Issues that require unlikely user interaction
• Vulnerabilities in libraries, modules, or code components where no evidence is provided that:
  • The vulnerable functionality is exposed to untrusted users in production deployments
  • The code is reachable through actual application interfaces or user-accessible endpoints
  • The exploitation scenario reflects realistic production configurations and access patterns

Disclosure Policy

Our Rules prohibit the disclosure of any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. You must follow HackerOne's Vulnerability Disclosure Guidelines.

Rewards

• In most cases, only the first person to report an unknown issue, as determined solely by TFH, will be eligible for a reward.
• Our rewards are primarily based on severity and impact, guided by the CVSS (the Common Vulnerability Scoring Standard).
• Multiple vulnerabilities caused by the same underlying issue will be awarded one bounty.
• Vulnerabilities that are due to an issue in an upstream dependency are out of scope and should instead be reported to the upstream maintainers. We may make exceptions for vulnerabilities that have a substantial impact to our production environment and customer data, however, issues should still be directed to the maintainers of the dependency upstream first.
• While we try to be as consistent as possible, rewards may change as our program evolves.

When submitting a report to our security team, submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate a higher impact.

Getting started

The assets in scope are organized into two categories: Primary Assets and Secondary Assets. This classification is determined by the maturity level of each asset and the risk it poses to TFH and the World ecosystem. Assets listed in the scope table will specify their assigned category, with any asset not designated as a Primary Asset automatically categorized as a Secondary Asset. For further clarity, Primary Assets are also outlined below:

The TFH security team maintains a Treasure Map to provide researchers with additional insights into the assets included in the bug bounty program’s scope. This resource serves as a guide for researchers to better understand the scope and focus their testing efforts. As the program and its scope evolve, further details and assets will be added to the Treasure Map.

We encourage you to subscribe to the Treasure Map repository to receive updates on new additions. For a comprehensive overview of the World protocol, please refer to the World white paper.

Test Plan

Testing .orb.worldcoin.org

We're not providing credentials for the orb API as this is our private network of orb devices and there's no self registration. Our public-key cryptography-based authentication API resides at auth.orb.worldcoin.org.

Testing .consumer.worldcoin.org

For the wallet API, the user account is an Ethereum address and authentication is based on public-key cryptography. You can generate a key pair and start interacting with the API. You can also create an account by downloading our app, but it's not possible currently to view your private key.

Additionally here is a private key 0x4bb934c301cf29d8d2f38f09d2e9d23d0a66b352a8291bcde49734886ce80f62 for a testing account, it can be used to obtain auth tokens under the api.consumer.worldcoin.org.

We require users solving public key challenge during login procedure:

1. Request challenge

   bash
   curl --request POST \
   --url https://api.consumer.worldcoin.org/v1/graphql \
   --header 'Content-Type: application/json' \
   --data '{
     "query": "mutation { requestChallengeV2(input: {eoaAddress: \"<your public key>\"}) { challenge expiresAt } }"
   }'

2. Sign and solve challenge with your private key

   • Sign the challenge

     js
     // Challenge should be taken from previous step (requestChallengeV2)
     const { Wallet } = require('ethers');
     const wallet = new Wallet(<privateKey>) // 
     const challenge = 'trustme:...'
     const signature = await wallet.signMessage(challenge)

   • Solve the challenge by submitting a mutation

     bash
     undefined

   curl --request POST
   --url https://api.consumer.worldcoin.org/v1/graphql
   --header 'Content-Type: application/json'
   --data '{ "query": "mutation { solveChallengeV2(input: {challenge: "", signature: ""}) { accessToken } }" }' ```

3. Using gql api with access token

   bash
   curl --request POST \
   --url https://api.consumer.worldcoin.org/v1/graphql \
   --header 'Content-Type: application/json' \
   --header 'x-authorization: ACCESS_TOKEN' \
   --data '{"query":"query me { \n\tme {id}\n}","variables":{},"operationName":"me"}'

Eligibility for Participation

You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you:

• are currently employed by TFH or Worldcoin Foundation (reports from former employees, immediate family of current employees, or other associates of TFH that may present a conflict of interest of the goals of the program will be more thoroughly reviewed and may not qualify for the stated bounty rewards at TFH discretion.)
• are the author of the code that is affected by the vulnerability being reported, or you were otherwise involved in its integration into TFH or created, or assisted in the creation of, the issue about which you are reporting.
• are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).

Safe Harbor

TFH considers good faith security research to be authorized activity that may be protected from adversarial legal action by us. As such, we adhere to HackerOne’s Gold Standard Safe Harbor which can be found here.

#Legal Terms In connection with your participation in this program you agree to comply with TFH’s Terms of Service, TFH’s Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

To be fully protected under HackerOne's 'Gold Standard Safe Harbor', you may use potentially sensitive data only to validate your finding, report it, and verify the effectiveness of a fix. Do not retain or misuse such data, and report all accesses to TFH immediately after discovery.

TFH reserves the right to change or modify the terms of this program at any time.

Thank you for helping keep TFH and the World ecosystem safe!