Scope of Business
The reporter visits "SlowMist Zone" website and goes to "Submit Bug Bounty" (URL：https://slowmist.io/en/bug-bounty.html) to submit a threat intelligence. (Status: to be review)
1. Within one working day, the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone", follow up, evaluate the problem, and feed the intelligence back to the ZB contact person in the meantime (status: under review).
2. Within three working days, the ZB technical team will deal with the problem, draw conclusions and record points (status: confirmed / ignored). They will communicate with the reporter if necessary, and ask the reporter for assistance.
1. The ZB business department shall repair the security problems in the threat intelligence and update online (status: repaired). The repairing timeframe depends on the problem severity and the repair difficulty. Generally speaking, it is within 24 hours for the critical and high-risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing timeframe is on a case-by-case basis.
2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with
3. After the reporter confirms that the security problem is repaired, the ZB technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score. They will issue rewards with the SlowMist Security Team (status: completed).
Vulnerability Level and Reward Standards
||SlowMist Zone Reward*
||$2500 ~ $10000 equivalent ZB
||$1000 ~ $2500 equivalent ZB
||$300 ~ $1000 equivalent ZB
||$10 ~ $300 equivalent ZB
*Note: ZB is the ZB platform currency, currency price please refer to https://www.zb.com/en/kline/zb_usdt. The final distribution will be in the form of equivalent ZB.
*Remark: The final award depends on the severity of the vulnerability and the true impact of the vulnerability.
*SLOWMIST is the integral of the SlowMist Zone.
A critical vulnerability refers to the vulnerability occurs in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.
It is including but not limited to:
- Multiple devices access in the internal network.
- Gain core backend super administrator access, leak enterprise core data and cause a severe impact.
- Smart contract overflow and conditional competition vulnerability.
- Gain system access (getshell, command execution, etc.)
- System SQL injection (backend vulnerability degradation, prioritization of package submission as appropriate)
- Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, brute force attackable backend passwords, and to obtain SSRF of sensitive information in the internal network, etc.)
- Arbitrarily document reading
- XXE vulnerability that can access any information
- Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized)
- Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion
- Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the important pages, and the storage XSS that can access administrator authentication information and can be successfully utilized
- Leakage of a lot of source code
- The permission control defects in the smart contract
- The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc
- General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
- Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
- The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects
- The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively
- Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
- General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
- Reflective type XSS (including DOM XSS/Flash XSS)
- General CSRF
- URL skip vulnerability
- SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
- Other vulnerabilities that are less harmful and cannot be proven to be harmful (such as CORS
vulnerability that cannot access sensitive information)
- No return value and no in-depth utilization of successful SSRF
Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)
*Remark：The discovered vulnerabilities belonging to the following categories are temporarily not included in the bounty scope, except for those that can cause serious business impact (it needs to be verified by the ZB team).
- Third-party application vulnerabilities.
- Low version browsers/platforms/plugins, etc. cause users to be affected.
- Theoretical risk vulnerabilities.
- Certificate/TLS/SSL related vulnerabilities.
- Interface brute force blasting of registered user name vulnerabilities.
- Self-XSS & HTML injection.
- The webpage lacks CSP and SRI security policies.
- CSRF issues for non-sensitive operations.
- Separate Android APP android:allowBackup=”true” issues, local denial of service issues, etc. (except for in-depth exploitation).
- Slow request caused by modifying the image size.
- Nginx or other middleware version leaks.
- Some functions are BUG, which cannot cause security risks.
- Physical attacks against ZB/Social engineering attacks against ZB employees.
- It is forbidden to use web/port automatic scanners and other behaviors that may cause a large amount of traffic requests. Network terminals and abnormal service access caused by these behaviors will be handled in accordance with relevant laws and regulations;
- Avoid possible impacts or restrictions including but not limited to the availability of business, products, architecture, etc.;
- All vulnerability tests should clearly use their own accounts, and avoid obtaining other user accounts in any form for testing/intrusion operations;
- It is forbidden to abuse of Dos/DDoS vulnerabilities, social engineering attacks, spam, phishing attacks, etc.;
- For combined exploitable vulnerabilities, we will only pay for the highest level of vulnerabilities.
- Without permission from ZB, it is forbidden to disclose the details of any discovered vulnerabilities.
- For testing vulnerabilities, try to avoid directly modifying the page, repeating the pop-up box (log is recommended for xss verification), stealing cookies, obtaining other user information and other offensive payloads (if you are testing blind typing, please use dnslog) ; If you accidentally use a more aggressive payload, please delete it in time, otherwise we have the right to pursue relevant legal liabilities.
Special thanks to The xianzhi vulnerability classification criteria referred here.