VeChain Security-vulnerabilities and Threat-intelligence Bounty Programme - SlowMist Zone

Table of Contents

Content

Scope of Business

1. VeChain Thor public blockchain source code and built-in smart contract, address of GitHub https://github.com/vechain/thor , vulnerability level using CVSSv3 specification and the reward criteria are the same as in the following table.

Protocol security

Conceptual and practical security issues in the formal specification of the protocol.
Misaligned / unintended economic incentives and game theoretic flaws.
Security weaknesses / attacks on the P2P communication protocol and PoA consensus algorithm.

Implementation security

Client protocol implementation security

Assuming that the protocols and algorithms are flawless, does a client implementation conform to the formal protocol specification? Issues could include:

Validations of blocks, transactions and messages
Ethereum Virtual Machine code execution
Transaction execution
Contract creation
Message calls
Calculation and enforcement of gas and fees

Network security

This category focuses on generalized attacks on the whole network or a subset of it:

51% and other X% attacks.
Finney attacks.
Sybil attacks.
Replay attacks.
Transaction / messages malleability.

Client application security

This category addresses more classical security issues:

Data type overflow / wrap around, e.g. integer overflow.
Panics or not properly handled errors.
Concurrency, e.g. synchronization, state, races.
Issues related to external libraries used.

Cryptographic primitives security

This category includes:

Incorrect implementation / usage / configuration of:
Elliptic curve (secp256k1, ECDSA).
Hash algorithms (Keccak-256).
Merkle Patricia trees.

2. VeChain Thor mobile wallet APP, obtains the address iOS Android

Processing Flow

Reporting Stage

The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL：https://slowmist.io/en/bug-bounty.html) to submit a threat intelligence. (Status: to be review)

Processing Stage

1. Within one working day, the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone", follow up, evaluate the problem, and feed the intelligence back to the VeChain contact person in the meantime (status: under review).

2. Within three working days, the VeChain technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.

Repairing Stage

1. The VeChain business department shall repair the security problems in the threat intelligence and update online (status: repaired). The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.

2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with objection).

3. After the reporter confirms that the security problem is repaired, the VeChain technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards with the SlowMist Security Team (status: completed).

Vulnerability Level and Reward Standards

Level	VeChain Reward*	SlowMist Zone Reward*
Critical	10,000 USD	512 SLOWMIST
High	5,000 USD	256 SLOWMIST
Medium	2,500 USD	100 SLOWMIST
Low	500 USD	32 SLOWMIST

*Remark: the final award depends on the severity of the vulnerability and the true impact of the vulnerability, the values in the table are the highest rewards for each level. VeChain reward will be in the form of a VET at the price of CoinMarketCap VET/USD EOD the day before the issue.

*SLOWMIST is Ethereum ERC20 Token, the ecological incentive token for the SlowMist Zone.

The rules of VeChain CyberSecurity Program are as follows:

You must not disrupt any service, or compromise personal data
You must send a clear textual description of the work done, along with steps to reproduce the vulnerability
After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a reward
For similar issues, only the first submission is eligible for bounty reward
In case you find chain vulnerabilities we pay only for vulnerability with the highest severity
It’s entirely at VeChain's discretion to decide whether a bug is significant enough to be eligible for reward and its severity
For any question, please contact bounty@vechain.com, join the Official Developer Gitter Channel or the technical discussion section of the VeChainWorld Forum.

Critical Vulnerabilities

A critical vulnerability refers to the vulnerability occurs in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.

It is including but not limited to:

Multiple devices access in the internal network.
Gain core backend super administrator access, leak enterprise core data and cause a severe impact.
Smart contract overflow and conditional competition vulnerability.

High-risk Vulnerabilities

Gain system access (getshell, command execution, etc.)
System SQL injection (backend vulnerability degradation, prioritization of package submission as appropriate)
Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, brute force attackable backend passwords, and to obtain SSRF of sensitive information in the internal network, etc.)
Arbitrarily document reading
XXE vulnerability that can access any information
Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized)
Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion
Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the important pages, and the storage XSS that can access administrator authentication information and can be successfully utilized
Leakage of a lot of source code
The permission control defects in the smart contract

Medium-risk Vulnerabilities

The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc
General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects
The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively

Low-risk Vulnerabilities

Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
Reflective type XSS (including DOM XSS/Flash XSS)
General CSRF
URL skip vulnerability
SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
Other vulnerabilities that are less harmful and cannot be proven to be harmful (such as CORS vulnerability that cannot access sensitive information)
No return value and no in-depth utilization of successful SSRF

Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)

Email Spoofing / Missing SPF Record.
User enumeration vulnerability.
Self-XSS
CSRF issues for non-sensitive operations.
A separate issue about Android app android:allowBackup=”true” , and the service is denied locally, etc. (unless in-depth use).
Some problems such as changing the size of the image and causing slow requests, etc.
Version leak issues such as Nginx/Tomcat, etc.
Some functional bugs that do not pose a security risk issue.

Prohibited behaviors

It is forbidden to conduct social engineering and phishing to people;
It is forbidden to leak the details of the vulnerability;
Vulnerability testings are only limited to PoC(proof of concept), and destructive testings are strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report;
It is forbidden to use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
Those who test the vulnerability should try to avoid modifying the page directly, continuing poping up the message box (dnslog is recommended for xss verification), stealing cookies, and obtaining aggressive payload such as the user information (for blind xss testing, please use dnslog). If you accidentally used a more aggressive payload, please delete it in time. Otherwise, we have the right to pursue related legal liabilities.

Special thanks to The xianzhi vulnerability classification criteria referred here.