TRM Labs, Inc Bug Bounty Program

Welcome to TRM Labs, Inc bug bounty program! We are a digital asset compliance & risk management platform. We enabled our customers to monitor, detect and investigate crypto fraud and financial crime through are platform and APIs. Our mission is build a safer financial system for billions of people. We blend blockchain data with advanced analytics to help financial institutions and governments fight fraud, money laundering, and financial crime.

We're looking for passionate and driven researchers who can help us keep our platform secure and join us on our mission.

Good luck, and happy hunting!

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Chainabuse

Status: In scope

Reward Tiers:

• P1: $500 – $1000
• P2: $100 – $500
• P3: $50 – $100

Chainabuse is our public facing application that allows any user to report malicious crypto activity. The application provides a self-registration using a Sign Up flow so researchers are encouraged to create test accounts in compliance with Bugcrowd policy and perform testing. There no multiple roles on the application.

Please note that while this asset is in-scope, it is lower priority compared to our B2B platform (hence the difference in reward tiers).

In-Scope Targets

Important Note

All targets in scope are in a Staging environment. Please be mindful when scanning the targets and avoid any kind of intrusive scans which might result in a DoS or account lockouts. Please do not perform any scans / testing / validation in the production environment as it is completely out of scope for the program. Our staging environment is exact copy of production and it will be ahead of production in term of feature releases.

Anything not explicitly specified as an "In-Scope" target MUST be considered out of scope. Please use our responsible disclosure program to report any problems with targets outside the scope.

Credentials

To gain access to the application, please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see Bugcrowd documentation.

Actions to Avoid

• Testing on accounts other than those that you own
• Automated testing using tools such as scanners
• Attempting denial of service (DoS) against the targets
• Excessive request attempts that affects the availability of our services to all users
• Destruction of data

Ineligible Issues (Will be closed as out of scope)

• Theoretical vulnerabilities without actual proof of concept
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Internally known issues, duplicate issues, or issues which have already been made public
• Tab-nabbing
• Self-XSS
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Vulnerabilities related to auto-fill web forms
• Use of known vulnerable libraries without actual proof of concept
• Lack of security flags in cookies
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing
• Cache-control related issues
• Exposure of internal IP address or domains
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to a user's device
• Issues that have no security impact (E.g. Failure to load a web page)
• Assets that do not belong to TRM Labs
• Any activity (like DoS/DDoS) that disrupts our services
• Installation Path Permissions
• Reports from automated tools or scans
• Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official TRM Labs social media account linked to on every page, not just specific past announcements/blog posts)
• Social Engineering

Disclosure Terms

This engagement follows Bugcrowd's standard disclosure terms. Vulnerabilities found in this engagement requires explicit permission by selecting the disclosure request option on your submission. For more information please review the Public Disclosure Policy.