Today, we would like to discuss the bug bounty program that was implemented by the PETN executive team. To those, who do not know, the bug bounty program is a process in which a company engages third-party cybersecurity specialists (in the industry we call them “white hat hackers” or “research workers”) to test their software for vulnerabilities for monetary rewards. For each vulnerability (bug) found, the developer receives a reward (bounty).
Pylon Eco Token project that is administered by the responsible and conscientious people managed to elaborate our own bug bounty program. We do offer financial rewards to those individuals and teams who will discover vulnerabilities on the PETN website. The Pylon Eco Token executive team publicly announced the scope of work, the level of compensation for vulnerabilities, and anyone can register and take part in the bug bounty program. But, it is important to note that the Pylon Eco Token management council will reward people for locating certain bugs, not all vulnerable issues are subject to a reward.
We do remunerate IT, specialists, for identifying the following problems in our system:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injections
- Server-Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Payment manipulation
- Administration portals without an authentication mechanism
Please, also note that reporting of the following vulnerabilities will not be recompensed:
- Lack of rate-limiting mechanisms
- Captcha related concerns
- Open redirects without a severe impact
- Application stack traces (path disclosures, etc.)
- Self-type Cross-Site Scripting / Self-XSS
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Denial of Service attacks
- CSRF issues on actions with minimal impact
- Cache Poisoning
- Clickjacking
- Missing SPF records
- Brute force attacks
- Security practices (banner revealing a software version, missing security headers, etc.)
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.
- Bugs that have not been responsibly investigated and reported.
- Bugs in products or websites related to acquisition for a period of 180 days following any public announcement.
- Bugs are already known to us, or already reported by someone else (reward goes to the first reporter).
- Issues that aren’t reproducible.
- Issues that we can’t reasonably be expected to do anything about.
- Before participating in our bug bounty program, please see below our rules and procedures.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Please, also take into consideration that when you decide to report about the vulnerabilities that were discovered by you or your team, it should include a detailed, step-by-step proof of concept to enable us to reproduce and evaluate the problem.
You could send your bug report or any inquiries regarding the Pylon Eco Token (PETN) bug bounty program to this email address: [email protected]
More detailed information about our bug bounty program you can find on our website: