Scope of Business
The INT main chain’s consensus layer, network layer, local wallet, web wallet, mobile wallet (IOS and andrid), private key management, serialization, and other security related to all RPC interfaces.
Main chain code address: https://github.com/intfoundation/int (For related deployment documentation, please refer to Readme)
Web Wallet URL: https://wallet.intchain.io/#/
Web wallet code address: https://github.com/intfoundation/intchain-wallet
Mobile wallet address: https://fir.im/5r42
The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL：https://slowmist.io/en/bug-bounty.html) to submit a threat intelligence. (Status: to be review)
1. Within one working day, the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone", follow up, evaluate the problem, and feed the intelligence back to the INTChain contact person in the meantime (status: under review).
2. Within three working days, the INTChain technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.
1. The INTChain business department shall repair the security problems in the threat intelligence and update online (status: repaired). The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.
2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with
3. After the reporter confirms that the security problem is repaired, the INTChain technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards with the SlowMist Security Team (status: completed).
Vulnerability Level and Reward Standards
||SlowMist Zone Reward*
||500 ~ 700 USDT
||300 ~ 500 USDT
||100 ~ 300 USDT
||30 ~ 100 USDT
*Remark: The INT reward will be issued in INT which deppen on the INT/USDT price on OKEX the day before the release.
*SLOWMIST is Ethereum ERC20 Token, the ecological incentive token for the SlowMist Zone.
A critical vulnerability refers to the vulnerability occurs in the core business system (public blockchain core business, wallet core functions, etc.), it can cause a severe impact.
It is including but not limited to:
- Smart contract overflow and conditional competition vulnerability, etc. can cause serious data problems on the mainnet
- Consensus layer vulnerability or attacks serious DDos on the mainnet at a small cost, causing the mainnet to crash or fail to pop out of the block.
- Obtain control rights through a full-node P2P network intrusion server.
- Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized).
- The permission control defects in the smart contract.
- Vulnerabilities cause state data errors, similar to double-spending.
- System SQL injection causes serious problems.
- The design of the main chain business is flawed, which prevents the business from being implemented properly.
- RPC interface or transactions are unreasonable in parameter processing, leading to more serious problems, such as SQL injection of the system.
- Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
- The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively
- Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service.
- RPC interface return value or some data structure design is unreasonable and affect the user experience, need to point out the unreasonable place.
- Some serious user experience issues.
- Other vulnerabilities that are less harmful and cannot be proven to be harmful
Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)
- Email Spoofing / Missing SPF Record.
- User enumeration vulnerability.
- CSRF issues for non-sensitive operations.
- A separate issue about Android app android:allowBackup=”true” , and the service is denied locally, etc. (unless in-depth use).
- Some problems such as changing the size of the image and causing slow requests, etc.
- Version leak issues such as Nginx/Tomcat, etc.
- Some functional bugs that do not pose a security risk issue.
- It is forbidden to conduct social engineering and phishing to people;
- It is forbidden to leak the details of the vulnerability;
- Vulnerability testings are only limited to PoC(proof of concept), and destructive testings are strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report;
- It is forbidden to use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
- Those who test the vulnerability should try to avoid modifying the page directly, continuing poping up the message box (dnslog is recommended for xss verification), stealing cookies, and obtaining aggressive payload such as the user information (for blind xss testing, please use dnslog). If you accidentally used a more aggressive payload, please delete it in time. Otherwise, we have the right to pursue related legal liabilities.
Special thanks to The xianzhi vulnerability classification criteria referred here.