[{"id":3743203,"new_policy":"# Intro\n\nBlockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.\n\nIf you are new to our products, please review our [Security Learning Portal](https://www.blockchain.com/learning-portal/security) before submitting reports.\n\n## Terms\n- You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.\n- Our evaluation of all reported vulnerabilities is final.\n\n# Response Targets\n\nBlockchain.com will make a best effort to meet the following response targets for hackers participating in our program:\n\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 5 business days\n- Time to bounty (from triage) - 10 business days\n- Time to resolution - depends on severity and complexity\n\n| Severity         | SLA in business days |\n| ------------- | --------------------- |\n| Critical           | 2 days                         |\n| High               | 7 days                         |\n| Medium         | 60 days                       |\n| Low                | 180 days                     |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n- Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.\n- Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.\n- **Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.**\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n- [https://en.bitcoin.it/wiki/](https://en.bitcoin.it/wiki/) and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.\n- Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n- Clickjacking on pages with no sensitive actions.\n- Password, email, and account policies, such as email address verification, password complexity.\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing flags like HttpOnly or Secure on cookies\n- Missing best practices in Content Security Policy or best practice security headers\n- Presence of autocomplete attribute on web forms\n- Tabnabbing or Reverse tabnabbing\n- Blind SSRF without proven business impact (DNS pingback only is not sufficient)\n- Open redirect - unless an additional security impact can be demonstrated\n- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Phishing websites and malware lookalike applications (please report to Support staff instead)\n- Physical security of our offices, employees, etc.\n- Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n- Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n- Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n- email-clicks.blockchain.com (SendGrid)\n- support.blockchain.com (ZenDesk)\n- blog.blockchain.com (Medium)\n- why.blockchain.com (InstaPage)\n- track.blockchain.com (Tune)\n- partners.blockchain.com (Tune)\n- docs.blockchain.com (GitBook)\n\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n- Data for each transaction, block, address, etc. e.g. [https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb](https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb) vs [https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25](https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25)\n- Data presented in multiple human languages, e.g. [https://www.blockchain.com/explorer](https://www.blockchain.com/explorer) vs [https://www.blockchain.com/es/explorer](https://www.blockchain.com/es/explorer)\n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-29T15:19:15.307Z"},{"id":3741519,"new_policy":"# Intro\n\nBlockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.\n\nIf you are new to our products, please review our [Security Learning Portal](https://www.blockchain.com/learning-portal/security) before submitting reports.\n\n## Terms\n- You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.\n- Our evaluation of all reported vulnerabilities is final.\n\n# Response Targets\n\nBlockchain.com will make a best effort to meet the following response targets for hackers participating in our program:\n\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 5 business days\n- Time to bounty (from triage) - 10 business days\n- Time to resolution - depends on severity and complexity\n\n| Severity         | SLA in business days |\n| ------------- | --------------------- |\n| Critical           | 2 days                         |\n| High               | 7 days                         |\n| Medium         | 60 days                       |\n| Low                | 180 days                     |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n- Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.\n- Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.\n- **Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.**\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n- [https://en.bitcoin.it/wiki/](https://en.bitcoin.it/wiki/) and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.\n- Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n- Clickjacking on pages with no sensitive actions.\n- Password, email, and account policies, such as email address verification, password complexity.\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing flags like HttpOnly or Secure on cookies\n- Missing best practices in Content Security Policy or best practice security headers\n- Presence of autocomplete attribute on web forms\n- Tabnabbing or Reverse tabnabbing\n- Blind SSRF without proven business impact (DNS pingback only is not sufficient)\n- Open redirect - unless an additional security impact can be demonstrated\n- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Phishing websites and malware lookalike applications (please report to Support staff instead)\n- Physical security of our offices, employees, etc.\n- Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n- Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n- Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n- email-clicks.blockchain.com (SendGrid)\n- support.blockchain.com (ZenDesk)\n- blog.blockchain.com (Medium)\n- why.blockchain.com (InstaPage)\n- track.blockchain.com (Tune)\n- partners.blockchain.com (Tune)\n\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n- Data for each transaction, block, address, etc. e.g. [https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb](https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb) vs [https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25](https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25)\n- Data presented in multiple human languages, e.g. [https://www.blockchain.com/explorer](https://www.blockchain.com/explorer) vs [https://www.blockchain.com/es/explorer](https://www.blockchain.com/es/explorer)\n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-09T10:37:13.146Z"},{"id":3668377,"new_policy":"# Intro\n\nBlockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.\n\nIf you are new to our products, please review our [Security Learning Portal](https://www.blockchain.com/learning-portal/security) before submitting reports.\n\n## Terms\n- You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.\n- Our evaluation of all reported vulnerabilities is final.\n\n# Response Targets\n\nBlockchain.com will make a best effort to meet the following response targets for hackers participating in our program:\n\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 5 business days\n- Time to bounty (from triage) - 10 business days\n- Time to resolution - depends on severity and complexity\n\n| Severity         | SLA in business days |\n| ------------- | --------------------- |\n| Critical           | 2 days                         |\n| High               | 7 days                         |\n| Medium         | 60 days                       |\n| Low                | 180 days                     |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n- Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.\n- Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.\n- **Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.**\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n- [https://en.bitcoin.it/wiki/](https://en.bitcoin.it/wiki/) and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.\n- Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n- Clickjacking on pages with no sensitive actions.\n- Password, email, and account policies, such as email address verification, password complexity.\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing flags like HttpOnly or Secure on cookies\n- Missing best practices in Content Security Policy or best practice security headers\n- Presence of autocomplete attribute on web forms\n- Tabnabbing or Reverse tabnabbing\n- Blind SSRF without proven business impact (DNS pingback only is not sufficient)\n- Open redirect - unless an additional security impact can be demonstrated\n- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Phishing websites and malware lookalike applications (please report to Support staff instead)\n- Physical security of our offices, employees, etc.\n- Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n- Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n- Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n- email-clicks.blockchain.com (SendGrid)\n- support.blockchain.com (ZenDesk)\n- blog.blockchain.com (Medium)\n- why.blockchain.com (InstaPage)\n- track.blockchain.com (Tune)\n- partners.blockchain.com (Tune)\n\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n- Data for each transaction, block, address, etc. e.g. [https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb](https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb) vs [https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25](https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25)\n- Data presented in multiple human languages, e.g. [https://www.blockchain.com/explorer](https://www.blockchain.com/explorer) vs [https://www.blockchain.com/es/explorer](https://www.blockchain.com/es/explorer)\n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor\n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Blockchain.com and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-22T18:17:06.961Z"},{"id":3649182,"new_policy":"# Intro\n\nBlockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date, we have over 68 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n## Terms\n* You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.\n* Our evaluation of all reported vulnerabilities is final.\n\n# Rewards (Standard)\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n# Response Targets\n\nBlockchain.com will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain.com and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-27T06:26:10.577Z"},{"id":3636923,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date, we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n## Terms\n* You are welcome to test the Trade API with your own funds but please note that Blockchain is not responsible for any losses.\n* This promotion will run until the end of April (2020-04-30 23:59:59 GMT). Blockchain will review the program and may extend it (possibly in a modified form) at our discretion. \n* As usual, our evaluation of all reported vulnerabilities is final.\n\n# Rewards (Standard)\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-02T08:50:33.263Z"},{"id":3632677,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Blockchain Exchange API Promotion (March-April 2020)\n \n## Bonus Rewards\nIn addition to our standard rewards, the first valid Critical report will receive a bonus payment of $1000 and the first two valid High reports will receive a bonus of $250 each.\n\nBonus rewards are subject to scope and terms as specified below.\n \n## Overview\nThe target of the promotion is the Blockchain Exchange API. You will need to create an account on https://exchange.blockchain.com and follow the instructions on https://exchange.blockchain.com/api/ to create an API key. You may need to complete identity verification in order to access the API.\n\n## Scope of promotion\n* wss://ws.prod.blockchain.info/mercury-gateway/v1/ws\n* Exchange API key security\n\nNote that non-Exchange APIs such as https://www.blockchain.com/api are out of scope for this promotion.\n \n## Terms\n* You are welcome to test the Trade API with your own funds but please note that Blockchain is not responsible for any losses.\n* This promotion will run until the end of April (2020-04-30 23:59:59 GMT). Blockchain will review the program and may extend it (possibly in a modified form) at our discretion. \n* As usual, our evaluation of all reported vulnerabilities is final.\n\n# Rewards (Standard)\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-11T10:40:02.985Z"},{"id":3632618,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Blockchain Exchange API Promotion (March-April 2020)\n \n## Bonus Rewards\nIn addition to our standard rewards, the first valid Critical report will receive a bonus payment of $1000 and the first two valid High reports will receive a bonus of $250 each.\n \n## Overview\nThe target of the promotion is the Blockchain Exchange API. You will need to create an account on https://exchange.blockchain.com and follow the instructions on https://exchange.blockchain.com/api/ to create an API key. You may need to complete identity verification in order to access the API.\n\n## Scope of promotion\n* wss://ws.prod.blockchain.info/mercury-gateway/v1/ws\n* Exchange API key security\n(Note that non-Exchange APIs such as https://www.blockchain.com/api are out of scope for this promotion.)\n \n## Terms\n* You are welcome to test the Trade API with your own funds but please note that Blockchain is not responsible for any losses.\n* This promotion will run until the end of April (2020-04-30 23:59:59 GMT). Blockchain will review the program and may extend it (possibly in a modified form) at our discretion. \n* As usual, our evaluation of all reported vulnerabilities is final.\n\n# Rewards (Standard)\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-10T16:35:09.656Z"},{"id":3629778,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Rewards\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-04T16:17:31.025Z"},{"id":3623571,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Rewards\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**XLM Airdrop exploit**: Up to $6,000 (See XLM Airdrop Testing section below)\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n## XLM Airdrop Testing\n\nBlockchain has partnered with Stellar to airdrop $125M in XLM to our users. To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.\n\nWe are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.\n\nFor example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.\n\nAll rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.\n\nSince financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\nThe scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-13T14:39:06.567Z"},{"id":3615631,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Rewards\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**XLM Airdrop exploit**: Up to $6,000 (See XLM Airdrop Testing section below)\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n## XLM Airdrop Testing\n\nBlockchain has partnered with Stellar to airdrop $125M in XLM to our users. To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.\n\nWe are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.\n\nFor example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.\n\nAll rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.\n\nSince financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Testing Scope\n## Assets in Scope\n\nThe following approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n### blockchain.com namespace\n\n* *.blockchain.com\n* www.blockchain.com\n* api.blockchain.com\n* docs.blockchain.com\n* login.blockchain.com\n* mailer1.blockchain.com\n* mailer2.blockchain.com\n* mailer3.blockchain.com\n* pit.blockchain.com\n* prod.blockchain.com\n* wallet-helper.blockchain.com\n\n### blockchain.info namespace\n\n* www.blockchain.info ¹\n* api.blockchain.info ¹\n* bci-ads.blockchain.info\n* blog.blockchain.info ¹\n*  consul.dev.blockchain.info\n*  *.europe-west1.dev.blockchain.info\n*  *.dev.blockchain.info ¹²\n* horizon.blockchain.info\n* pit.*.blockchain.info\n* ws.blockchain.info\n\n¹: Partially deprecated domain. Severity may be limited.\n²: Pre-production system. Severity may be limited.\n\n### Mobile applications and hardware\n\n* Wallet App (Android) https://play.google.com/store/apps/details?id=piuk.blockchain.android (Latest version)\n* Merchant App (Android) https://play.google.com/store/apps/details?id=info.blockchain.merchant (Latest version)\n* Wallet App (iOS) https://itunes.apple.com/us/app/blockchain-wallet-bitcoin/id493253309 (Latest version)\n* Merchant App (iOS) https://itunes.apple.com/us/app/blockchain-merchant/id947009571 (Latest version)\n* Hardware and software for the Blockchain Lockbox hardware wallet\n\n\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-06T04:58:06.940Z"},{"id":3612435,"new_policy":"# Intro\n\nBlockchain is the most trusted and fastest growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.\n\nTo date we have over 35 million wallet signups, 100 million cryptocurrency and token transactions, and 25 thousand API users supporting 140 countries.\n\nIf you are new to our products, please review our Security Learning Portal before submitting reports.\n\n# Rewards\n\nWe evaluate the severity of security issues based on their impact and exploitability, based loosely on CVSS standards. Final decision on severity is made at our sole discretion.\n\nBelow are monetary rewards for each severity level, denominated in US dollars. Pluses indicate minimum amounts.\n\n**XLM Airdrop exploit**: Up to $6,000 (See XLM Airdrop Testing section below)\n\n**Critical** (compromise of important infrastructure; vulnerabilities that result in theft of cryptographic key material or user funds e.g. Wallet XSS, server Command Injection): $2,000+ \n\n**High**: $750 (e.g. CSRF executing important action but less severe than loss of funds)\n\n**Medium**: $300+ (e.g. HTML injection in non-transactional section of website: https://hackerone.com/reports/179426 )\n\n**Low**: $50 (e.g. Server version disclosure https://hackerone.com/reports/179217 or low value information disclosure https://hackerone.com/reports/179599 )\n\n## XLM Airdrop Testing\n\nBlockchain has partnered with Stellar to airdrop $125M in XLM to our users. To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.\n\nWe are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.\n\nFor example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.\n\nAll rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.\n\nSince financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.\n\n# Response Targets\n\nBlockchain will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 5 business days\n* Time to triage (from report submit) - 10 business days \n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from us.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n# Program Rules\n\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to maximize impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering of our users, employees, partners, etc. (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Testing Scope\n## Assets in Scope\n\nThe following approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.\n\n### blockchain.com namespace\n\n* *.blockchain.com\n* www.blockchain.com\n* api.blockchain.com\n* docs.blockchain.com\n* login.blockchain.com\n* mailer1.blockchain.com\n* mailer2.blockchain.com\n* mailer3.blockchain.com\n* prod.blockchain.com\n* wallet-helper.blockchain.com\n\n### blockchain.info namespace\n\n* www.blockchain.info ¹\n* api.blockchain.info ¹\n* bci-ads.blockchain.info\n* blog.blockchain.info ¹\n*  consul.dev.blockchain.info\n*  *.europe-west1.dev.blockchain.info\n*  *.dev.blockchain.info ¹²\n* horizon.blockchain.info\n* ws.blockchain.info\n\n¹: Partially deprecated domain. Severity may be limited.\n²: Pre-production system. Severity may be limited.\n\n### Mobile applications and hardware\n\n* Wallet App (Android) https://play.google.com/store/apps/details?id=piuk.blockchain.android (Latest version)\n* Merchant App (Android) https://play.google.com/store/apps/details?id=info.blockchain.merchant (Latest version)\n* Wallet App (iOS) https://itunes.apple.com/us/app/blockchain-wallet-bitcoin/id493253309 (Latest version)\n* Merchant App (iOS) https://itunes.apple.com/us/app/blockchain-merchant/id947009571 (Latest version)\n* Hardware and software for the Blockchain Lockbox hardware wallet\n\n\n\n## Out of Scope\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n \n* Open redirect at blockchain.com/r. unless you devise a way to bypass the warning screen\n* The same email address can be used to register multiple wallet accounts -- this is intentional.\n* https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n* Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS). DoS software vulnerabilities may be reported, but must be tested in a fashion as to not significantly impact service to users.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Phishing websites and malware lookalike applications (please report to Support staff instead)\n* https://itunes.apple.com/us/app/zeroblock-real-time-bitcoin/id643184018 (ZeroBlock iOS application -- legacy support only)\n* Physical security of our offices, employees, etc.\n* Non-security-impacting UX issues\n\nWeb applications operated by third parties are only considered in scope under the following ways:\n* Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.\n* Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward for these issues on top of the vendor based on the outcome of that report.\n\nThe following assets represent third-party applications, along with their vendors to report issues to:\n\n* campaigns.blockchain.com (ActOn)\n* email-clicks.blockchain.com (SendGrid)\n* jamf.blockchain.com (Jamf)\n* support.blockchain.com (ZenDesk)\n* blog.blockchain.com (Ghost)\n\n# Guidelines for Crafting a Report\n\nIf our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:\n\n* Description of the vulnerability\n* Steps to reproduce the reported vulnerability\n* Proof of exploitability (e.g. screenshot, video)\n* Perceived impact to another user or the organization\n* Proposed CVSSv3 Vector \u0026 Score (without environmental and temporal modifiers)\n* List of URLs and affected parameters\n* Other vulnerable URLs, additional payloads, Proof-of-Concept code\n* Browser, OS and/or app version used during testing\n\nAll supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.\n# Testing Tips\n\nWhen spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:\n\n* Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25\n* Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer \n\nOur open source application source code can be found for review at [GitHub](https://github.com/blockchain/).\n\n# Safe Harbor \n\nAny activities conducted in a manner consistent with the law and our bounty policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Blockchain and our users safe!\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-21T23:12:14.236Z"},{"id":3598625,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\nThe following commonly reported items are known to us and should not be reported:\n- Open redirect at blockchain.info/r. unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n-  https://en.bitcoin.it/wiki/ and the  en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n- Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n\n# NEW BOUNTY PROGRAM - XLM AIRDROP\n\nBlockchain has partnered with Stellar to [airdrop $125M in XLM to our users](https://blog.blockchain.com/2018/11/06/we-always-put-users-first-and-now-we-have-125m-ways-to-show-it/). To ensure a fair airdrop process, we’ve taken steps to ensure that only one airdrop payment can be made per person.\n\nWe are now inviting security researchers to find ways of bypassing this constraint to help us prevent fraud and abuse. The objective for bounty hunters is to receive more than one airdrop payment by any legal means. Since this is a new type of bounty program, we are adopting an unconventional bounty system: Each legitimate report will be rewarded based on our estimates for how many times a given technique could reasonably be exploited by a malicious airdrop attacker.\n\nFor example, if you report a technique that would allow an attacker to receive 1000 XLM in airdrops, then we’ll award through HackerOne a minimum amount quoted in USD at the time the report is received. At a price of $0.12 USD per XLM, this would come out to a $120 USD bounty reward.\n\nAll rewards will be capped at a maximum of $6000 USD per report. We will always reward at least $50 per technique.\n\nThe usual bounty caveats continue to apply: The first researcher to report an issue gets the reward. The report must describe an issue that we are not previously familiar with. No techniques can be disclosed publicly or to third parties until we’re ready. Reports must come with a proof of concept demonstrating our vulnerability; \n\nSince financial and document fraud may be obvious ways to bypass our restrictions, please check with your local laws to verify that your research remains legal.\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows:\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-19T05:10:40.815Z"},{"id":3543614,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\nThe following commonly reported items are known to us and should not be reported:\n- Open redirect at blockchain.info/r. unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n-  https://en.bitcoin.it/wiki/ and the  en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n- Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows:\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-21T17:32:41.163Z"},{"id":3541296,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\nThe following commonly reported items are known to us and should not be reported:\n- Open redirect at blockchain.info/r. unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n-  https://en.bitcoin.it/wiki/ and the  en.bitcoin.it domain are NOT owned by Blockchain and therefore are NOT in scope.\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows:\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-03T19:30:03.865Z"},{"id":3541166,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\nThe following commonly reported items are known to us and should not be reported:\n- Open redirect at blockchain.info/r. unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows:\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-01T15:17:49.442Z"},{"id":3541165,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\nThe following commonly reported items are known to us and should not be reported:\n- Open redirect at blockchain.info/r. unless you devise a way to bypass the warning screen\n- The same email address can be used to register multiple wallet accounts -- this is intentional.\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows (paid in Bitcoin, of course):\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-01T15:17:37.453Z"},{"id":3541049,"new_policy":"# ABOUT BLOCKCHAIN\n\nBlockchain is Bitcoin's most popular bitcoin wallet and block explorer. As of January 2014 the site has over 1.1 million registered users and 200 million page views per month.\n\n# HACKERONE\n\nThe purpose of this reward program is to be proactive about security by providing a channel for security researchers to report potential security vulnerabilities identified related to our web assets and mobile applications.\n\n*Note:* Higher rewards will be paid out in case of vulnerabilities of a certain interest or criticality. \n\nPlease review our security writeup before submitting reports:\nhttps://blockchain.info/wallet/security\n\n# SCOPE\n\nThe following items can be reported to us through HackerOne, but are out of scope for bounty rewards:\n- Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) are not in scope.\n- Minor issues, e.g. cookie flags and auto-complete fields are out of scope.\n- Open URL Redirects\n\n# THANK YOU\n\nBounties are paid out after a risk assessment has been made by our Security Engineering team. Bugs must fall within scope, be reproducible, and must not have been previously reported by other researchers in order to be eligible for a bounty. Roughly speaking, we calculate the severity of an issue with the following formula:\n\n- Severity = Impact * Likelihood\n\nBase bounty amounts are as follows (paid in Bitcoin, of course):\n\n- Low: $50\n- Medium: $400\n- High: $1600\n- Critical: \u003e$1600\n\nWe will pay higher bounties to researchers who make things easy for us. Such activities include:\n- Providing additional details when queried or confirming fixes\n- Detailed threat modeling information about the identified issues. How would an attacker use the issue you identified to attack our customers or our team?\n- Clearly written reports\n- Working proof of concept provided and/or detailed steps to reproduce issue\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-31T18:36:23.708Z"}]