Details

Turingbitchain Bug Bounty Program

Turingbitchain is the creator of the Bitcoin Virtual Machine (BVM) and has implemented a scalable BTC Layer2 solution.

Project Overview

Turingbitchain is the creator of the Bitcoin Virtual Machine (BVM) and has implemented a scalable BTC Layer2 solution.

Rewards

Rewards will be provided based on the rules of this bug bounty program. At the discretion of Turingbitchain, the quality, creativity, or novelty of the submission may influence the reward amount within a given range.

If multiple reports are submitted for the same issue, only the earliest valid submission will be rewarded.
Vulnerabilities will be assessed based on the CVSS 3.1 standard.

Main Testing Focus

Private keys are encrypted and stored using passwords or biometric authentication. When a user initiates a transaction, the private key is unlocked.

Key Objective

Evaluate whether the private key can be stolen during the transaction process. The focus is on vulnerabilities that could lead to direct private key leakage, causing immediate or potential loss of user assets.

Severity Levels and Rewards

Severity	Description	Reward
Critical	Vulnerabilities that directly lead to private key leakage, exploitable without additional conditions, and may cause immediate and irreversible asset loss.	800 ~ 1,000 USDC
High	Vulnerabilities that enable private key theft under certain conditions (e.g., user interaction or environment), potentially causing significant loss, but requiring more effort.	500 ~ 800 USDC
Medium	Vulnerabilities that increase the risk of private key theft in complex scenarios (e.g., chained attacks), but are difficult to exploit directly.	300 ~ 500 USDC

Scope

In Scope

Mobile Applications
https://info.turingwallet.xyz (application download address)

Out of Scope

Theoretical vulnerabilities without actual proof or demonstration
Attacks requiring root/jailbreak privileges or physical access to the device
Attacks relying on users installing malicious software or running in non-standard environments
Vulnerabilities that only exist in emulator/simulator environments
DDoS or performance issues not related to security
Feature requests or UI/UX-related feedback
Best practice concerns without clear security impact and PoC
Issues caused by third-party libraries or OS-level bugs (unless specific to app implementation)
Vulnerabilities requiring users to input commands manually or modify the app

Reporting Rules

Reports must be reproducible and verifiable by the Turingbitchain security team and demonstrate a clear security impact.
Include detailed reproduction steps, such as screenshots, videos, scripts, etc.
Do not:
- Engage in social engineering or phishing
- Disclose vulnerability details publicly
- Use automated scanners for large-scale scanning (legal consequences may apply if service disruption occurs)
During testing:
- Avoid directly modifying pages, repeated pop-ups, stealing cookies, or using aggressive payloads (use DNSLog for blind XSS testing)
- If an aggressive payload is used by mistake, delete it promptly
- Testing must be limited to proof of concept (PoC) only; destructive testing is strictly prohibited
- Any accidental harm must be reported immediately
- Clearly explain any sensitive operations performed during testing (e.g., deletion, modification) in the report

Rewards

If multiple reports are submitted for the same issue, only the earliest valid submission will be rewarded.

Vulnerabilities will be assessed based on the CVSS 3.1 standard.

Main Testing Focus

Private keys are encrypted and stored using passwords or biometric authentication. When a user initiates a transaction, the private key is unlocked.

Key Objective

Severity Levels and Rewards

Severity	Description	Reward
Critical	Vulnerabilities that directly lead to private key leakage, exploitable without additional conditions, and may cause immediate and irreversible asset loss.	800 ~ 1,000 USDC
High	Vulnerabilities that enable private key theft under certain conditions (e.g., user interaction or environment), potentially causing significant loss, but requiring more effort.	500 ~ 800 USDC
Medium	Vulnerabilities that increase the risk of private key theft in complex scenarios (e.g., chained attacks), but are difficult to exploit directly.	300 ~ 500 USDC

Scope

In Scope

Mobile Applications

https://info.turingwallet.xyz (application download address)

Out of Scope

Theoretical vulnerabilities without actual proof or demonstration

Attacks requiring root/jailbreak privileges or physical access to the device

Attacks relying on users installing malicious software or running in non-standard environments

Vulnerabilities that only exist in emulator/simulator environments

DDoS or performance issues not related to security

Feature requests or UI/UX-related feedback

Best practice concerns without clear security impact and PoC

Issues caused by third-party libraries or OS-level bugs (unless specific to app implementation)

Vulnerabilities requiring users to input commands manually or modify the app

Reporting Rules

Reports must be reproducible and verifiable by the Turingbitchain security team and demonstrate a clear security impact.

Include detailed reproduction steps, such as screenshots, videos, scripts, etc.

Do not:

Engage in social engineering or phishing
Disclose vulnerability details publicly
Use automated scanners for large-scale scanning (legal consequences may apply if service disruption occurs)

During testing:

Avoid directly modifying pages, repeated pop-ups, stealing cookies, or using aggressive payloads (use DNSLog for blind XSS testing)
If an aggressive payload is used by mistake, delete it promptly
Testing must be limited to proof of concept (PoC) only; destructive testing is strictly prohibited
Any accidental harm must be reported immediately
Clearly explain any sensitive operations performed during testing (e.g., deletion, modification) in the report