計畫範圍、政策和獎金
範圍
- www.maicoin.com (https://www.maicoin.com/)
- max.maicoin.com (https://max.maicoin.com/)
- api.maicoin.com (https://api.maicoin.com/)
- max-api.maicoin.com (https://max-api.maicoin.com/)
- Android: com.maicoin.maicoin (https://play.google.com/store/apps/details?id=com.maicoin.maicoin)
- Android: com.maicoin.max (https://play.google.com/store/apps/details?id=com.maicoin.max)
- iOS: MaiCoin https://itunes.apple.com/tw/app/id1439583926
- iOS: Max https://itunes.apple.com/tw/app/id1370837255
政策
- 請提供MaiCoin詳細的漏洞報告並包含可重現漏洞的步驟。
- 請給予MaiCoin合理的時間執行修補計畫並修復漏洞。
- 未經MaiCoin事前書面同意,請勿揭露任何漏洞、任何您回報給MaiCoin的資訊,及任何MaiCoin回饋給您關於漏洞的資訊予任何第三方。即使該漏洞已被修補,亦同。
- 請勿嘗試瀏覽、更動或是破壞屬於其他使用者的資料。
- MaiCoin得隨時單方終止本計畫或修改本計劃的所有條款和規定。
同時,您必須符合下列所有條件,才有資格獲得獎金:
- 您是第一位回報特定安全性漏洞的研究人員。
- 您回報的安全性問題經確認為可驗證、可重現、可利用且包含在計畫範圍內。
- 您遵守本計畫的所有條款和規定。
- 您於本計畫終止之前回報。
另外,所有下列相關的漏洞皆不在本計畫範圍內:
- Social engineering(e.g. phishing).
- Physical security.
- Non-security-impacting UX issues.
- Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it on GitHub via an issue or PR.
- Missing best practices in SSL/TLS configuration.
- Self-XSS and issues exploitable only through Self-XSS.
- Clickjacking on pages with no sensitive actions.
- Related to tab-jacking, tab-nabbing, and text injection.
- Related to DNS over HTTPS, DNSSEC, and DNS CAA record.
- Attacks requiring MITM, physical access or privileged access(e.g. root a phone) to a user's device.
- Any activity that could lead to the denial/degradation of service (DoS).
- Enforcement policies for brute force or account lockout.
- Missing security headers.
- Unauthenticated/logout/login CSRF.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Unconfirmed reports from automated vulnerability scanners.
- Disclosure of server or software version numbers.
- Disclosure of known public files and other information disclosures that are not a risk (e.g. robots.txt).
- Disclosure of information with minimal security impact (e.g. stack traces, path or directory listing, logs).
- Theoretical sub-domain takeovers with no supporting evidence.
- Vulnerabilities or weaknesses in third party applications that integrate with MaiCoin.
- Issues only present in end-of-life software.
- Ability to abuse existing banking functionality.
- Exposure of the IP address or domains.
- Spamming or Un-limiting Email rate.
本計畫的參與者不得:
- 侵犯其他人權利或是法律的任何行為
- 寄送垃圾郵件給MaiCoin使用者
- 使用發現的漏洞閱覽、刪除、修改或揭露其他使用者的資料
- 使用發現的漏洞閱覽、刪除、修改或揭露系統原始碼
- 任何上列行為以外,違反本計畫精神與目的的行為
MaiCoin會盡最大努力遵守以下回應時間目標:
| 回應類型 | 工作日 |
| 初次回應 | 3日 |
| 初步分類 | 7日 |
| 獎勵發放 | 30日 |
有關本計畫的詢問:
所有相關的詢問均應發送至 bounty@maicoin.com,使用其他方式發出的詢問皆不會收到任何回應。
漏洞調查與回報:
發現安全性問題,請使用 bounty@maicoin.com 聯絡我們。回報安全弱點時,請使用MaiCoin提供的PGP金鑰加密漏洞資訊。MaiCoin安全團隊將於三個工作日內回覆您,並依據問題的嚴重性儘速修正問題。
PGP Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF3U3oQBEADRxIkFpeCD7Wy8mlKRtswIopjzvsDpzeIfYx56Sp+/4+agMsL2
hHBWacLYlja9U2dIUizQwKSUT8kDeiLyZF9EUd2napbQLtALHok/NoD+BZtrPkUA
s0k1IK2YiS3tc56IomNgxUN88kWwFe4dmGyRWe3YfgcVT57VZcP/jI5HigoOb8Qa
slwcQGzoWmbgc5kVhGzS1EHZRFebB1fCCkxFxmxpyMUBhMmUOV02urRYli9EPjqE
bYKE0pE6J6avr3ijvZ5cb+Z/cnMSZooEUPPRfDJOKSbch8wUT6CVb0CjMQs1TA6+
/0FPvsjK/aPo/dq1IE191uo8yrP/BWScKAn6XmJQOjM+EFvGM9Doo3EkhnWf4S7O
XFX/5zVNjdIMBwyKVrbbDxRk+JNHxIvFjHFMkEcF+0CPsDaeMeGtjHoN36KgrDR0
IIlza78Kn0g8erxvSnuawJdSMtBD1Qiv74p4Vdqhl+QkupKQMfYApsHOh+ANymqg
aS981/1baQad1yqNrRi4Opx+JhnPC/WMup0wd/jlI5lOCtVKHF45TI2McNIrds7H
oalmCSVl9Y5qLdqxgnOV5Cq6EexrH4ZXlbWifINgNWKDQHW8ZfjrXGAQjNk+3u/X
LuueobqsxVve6aHdJeNOW2b2TTv1MpF+4wkjcmj490vhtl3GQbgvAa/viwARAQAB
tCpNYWlDb2luIFNlY3VyaXR5IFRlYW0gPGJvdW50eUBtYWljb2luLmNvbT6JAlQE
EwEIAD4WIQSfRg270GPVPXb8HAwwPU4qAj51iAUCXdTehAIbAwUJB4YfgAULCQgH
AgYVCgkICwIEFgIDAQIeAQIXgAAKCRAwPU4qAj51iH6JEAC8h6jnXjZ7n2i7qfWB
c604XYhyxq+9GuGRZ0Y79+7IDtT2hjbWYCrXoB48GJyu8FBd9DJvCQUnF8sI6umW
4tjQ0LLWcW8/u+RvqO391iUOueAd+JuLjIjYKskbJmWy+eqHMOgUbbtTHf3iKWwc
GB8hMmGsY4/GM4cPmhzBiL4FH0ltWfLQQWptoHmB48R87qkDFuRx51rNguSEGxqo
YAC4yaBdt3vUhVeN8189q6JS4r/gifblnWm2UYXnZSakN8jJwCe8E1DxlS+e/A3B
jgEn9uVyQsxLDP3Ygy1MCdLHm6maW+G44SBJIGShN51QEi5tQCO3gqmdZl2BzieI
LXd5KQzivezU1x7HHuuD7M3uWwtTjPUQ+dAc8YXzW2epkjwT3DKQZF83sIUrBNac
Np90um3vSrHCLCnc561KOc0TLCkMdHmIjlKL2UtW38HCZOvrpu7XL5xUP52J4f7W
IuH1A+lBbbPYN+xh0t9U7ypnFfO+kGZzVf8EFg9tPtMJ3N7e5MZNEWauQSetBZBM
B2BDVgChwNUNRdTMB1W4JUedyUYu2Oqg7oPXXAQq9ijc5zYsI4q1t5gYxxl4YkcJ
P5EDHmb0r9LcT1UpXNKucch7m4fl//HzGcDUUaVJs9tVnmb2NgUkv6FNbCoa2keH
yuD4qLzK6auYBaVI9YqqnMPXx7kCDQRd1N6EARAAsCzXLEssyJPrMGS1qAueKW18
kTf/0NtKoZg3TPxTlpZv9riSATL52xMpJ2ohWBic1jqxvlG7A4leymR0T3by6Jxq
rYWMUZhpiHvInZKC1vGgk3ctu2UaTPcB5dmIKuAFNgwir0Z3wej9dxI8DFN6K2+B
27DLljhDzVOGrtZ5vNXomL4LXyDp0ZeNrNXEwEmWZffTVdtNF0z5PZX3gVXGIav7
DmLrstaHocqUfcP17I0nM4yRMw1x7DMUjurOW9bRVEmN9BM7SAibIzMefBvJ59KF
ps36FiYJ/bRw1ez9qDFxytXyFdZAr5M+ToMEhLkofwaygE68i657CMsSbnnODNKI
gbQDbd9JMCqGrk5FXu3/0x4UOGHp7loVSRaQhHC4pwZP4vuovpMFjirzMAn9h6Qs
efG3JWoqtfZM9yh09JLtX79qq7Rw7Gf6TkSuVQgYPwa6rG/QJ2/dzJh8RGW94kdP
yNMDd8P4N3tlxXdmvP0/pkDuhK0xoePUlnu83KGaj1Jqr9RFwP5hz5BBC3Ckw4vw
phQvRcU9JeeI0QtoGecsjRyIM6/SMuyTtKBvDVbySU1tiitnH3Acjh+MYElzYJ4Y
UpMd8Fwq71mHENc+2aOUZm3Vrb0qY+r9Xb2ajQy6OgpNpSkqVIh4sVlkeK/X7aVc
EuuoDeNh+JOtVQZUjAMAEQEAAYkCPAQYAQgAJhYhBJ9GDbvQY9U9dvwcDDA9TioC
PnWIBQJd1N6EAhsMBQkHhh+AAAoJEDA9TioCPnWIaMsP/AnYjt1Jv4zmL19QipyW
+yoFHIkq5HFccoKs9wuqB0OafgYFeRWk2KDee627JMoafw2xkm+DIFxJd320twP5
LdNL3FkX8Bf/PEkUfz/i4r3y6nrteHREwiaUAO/NoaTVPNKyULbOxBWYCmY5bBxz
M4y8FeaonTLxOk62AmC48aob2wUmSaRJqYmNNDo8r7d/f82t1h46SSZVT8yDT8xX
3+duoq1yjmcbc7Mp372rUD4YlKvM7buCxMgPwDKihlyb3sEKuloGJNwI0x779Bhd
xfhwYJNZuk21Sh1mr7/je9YAGRSIuvHMzOypQF2A0FTHROkl2y2V5X1G8Ex3GKlG
uhsIJL7wSavSyixnC19M0IHpjAT1nPGnLdDrsmXxl2ZcZDvnfIIUyR93tWrGiFfa
Bbw+RXYaY5kvGeOhbqDbme7/lQJbxwDPafNpCn+DFKNtdvJD5ttaUHPUJuX7ASG1
6oxIRK9jZDJOShJ4OA7OpntifSE74pY2gvMgxN9CLSuXUySsGm8d5GpzkYJlh8rk
B4Rv81rf7TtMHHTNMOrC+0p2lGNv15oOLg0cvnM0KwHv65VRgJUHzTddOgLLdI2F
gxSFh5OGQNzGXZlxdA78KTK50oSRwPjSRsTgEjKLacI7ADrXevI/QQIUhWCXkqVp
PhOKrzFmHosS4TdnVJf2f3CO
=FagH
-----END PGP PUBLIC KEY BLOCK-----獎金
獎金表:
| 嚴重等級 | 獎金(USDT) |
| 嚴重 | 3000 |
| 高 | 750 |
| 中 | 150 |
| 低 | 30 |
獎金將會使用USDT或等值的新台幣支付,當您提出的漏洞被確認並接受後,請提供以下任一資訊作為領取獎金的管道:
- 您的 USDT 錢包地址
- 您的新台幣銀行帳戶
漏洞等級描述:
MaiCoin認為”嚴重”風險等級的漏洞包含:
- Read /write sensitive data in a system.
- SQL injection
- Remote arbitrary code execution
- Vertical authentication/authorization bypass
- Exfiltrate digital or fiat currency
- And other critical-severity issues
MaiCoin認為”高”風險等級的漏洞包含:
- Server-side request forgery to an internal service
- Stored/Reflected XSS in the core service
- Lateral authentication/authorization bypass
- And other high-severity issues
MaiCoin認為”中”風險等級的漏洞包含:
- Cross-site request forgery
- Server-side request forgery
- Sensitive information/data disclosure
- Server misconfiguration or provisioning errors with the immediate risks
- Arbitrary file upload with the immediate risks
- And other medium-severity issues
MaiCoin認為”低”風險等級的漏洞包含:
- Server misconfiguration or provisioning errors
- Found demo/example configuration
- General information disclosure
- And other low-severity issues