tZERO
External Program
Submit bugs directly to this organization
Last Updated :23 Jun 2021 19:40:37 GMT+0[/engagements/tzero-vdp/changelog/2f455165-fc9d-44d6-9146-86c3cbb5e8b8](View changes)
tZERO invites you to test and help secure our primary trading application and tZERO assets. We appreciate your efforts and hard work in making the internet (and tZERO) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the [https://bugcrowd.com/vulnerability-rating-taxonomy](Bugcrowd Vulnerability Rating Taxonomy). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
In scope
Name / Location | Tags | Known issues | *.tzero.com | | https://dino.tzero.com/https://dino.tzero.com/ |
Testing is only authorized on the targets listed as In-Scope. Any domain/property of tZero not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to tZero org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable.'
*.tzero.com - Any of our own assets should be in scope for this Vulnerability Disclosure Program. Let us know
dino.tzero.com - tZERO's main online trading application. Researchers are invited to do a full deep dive into this application and it's functionality.
tZERO Mobile Applications (iOS & Android) - Researchers are free to test both the iOS and Android applications. No accounts have been provided but you can create your own account for these applications. Please note: there is no identify verification in the applications. IMPORTANT: No testing tokens will be provided for mobile applications
You can download the iOS application https://apps.apple.com/us/app/tzero-crypto/id1468985150.
You can download the Android application https://play.google.com/store/apps/details?id=com.tzero&hl=en_US.
Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see https://researcherdocs.bugcrowd.com/v2.0/docs/your-bugcrowdninja-email-address.
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.
[/engagements/tzero-vdp/announcements](View all announcements)
There are no updates yet. The latest announcements on this engagement will show up here.
[/engagements/tzero-vdp/crowdstream](View all CrowdStream activity)
There are no updates yet. The recent activities on this engagement will show up here.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please visit [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support) and create a support ticket. We will address your issue as soon as possible.
This engagement follows Bugcrowd’s [https://www.bugcrowd.com/resource/standard-disclosure-terms/](standard disclosure terms.)
This engagement does not allow disclosure. You may not release information about vulnerabilities found in this engagement to the public.