Creditcoin Testnet | Bug Bounty Guide 🪲

Welcome to the Creditcoin Testnet Bug Bounty Program, an essential initiative designed to enhance the security and integrity of the Creditcoin protocol through community participation.

In this guide, we'll walk you through the program's scope, reward system, and submission process to ensure a smooth and productive bug bounty experience, with up to $1500+ in ERC-20 CTC tokens for each bug reported.

Bug Reward Guide

Creditcoin is offering rewards up to $1500 in ERC-20 CTC tokens for each bug reported, on a first-come-first-serve basis. The reward amount varies with the severity of the bug, categorized as follows:

SeverityRange
Low Severity$10-$99
Medium Severity$100-$399
High Severity (CVSS 1.6 - 3.5)$400-$699
Critical Severity (CVSS 3.6 - 5.9)$700-$999
Extreme Severity (CVSS 6.0 - 10.0)$1000-$1500+

Severity Levels Explained

Medium and Low Severity levels generally denote bugs not leading to vulnerabilities. For example, Medium Severity bugs include stuck transactions, or other obstacles to normal expected functionality, while Low Severity bugs generally involve visual discrepancies.

For High, Critical, and Extreme Severity levels, severity is assessed using metrics from the National Vulnerability Database's Common Vulnerability Score System (CVSS). These include:

  • Attack Vector (AV): Describes how a vulnerability is exploited.
  • Attack Complexity (AC): Indicates the expertise needed to exploit the vulnerability.
  • Privileges Required (PR): Specifies the attacker's required privileges.
  • User Interaction (UI): Details the user interaction required for exploitation.
  • Scope (S): Outlines the vulnerability's impact extent.
  • Confidentiality, Integrity, and Availability (CIA) Impact: Describes the vulnerability's effect on system confidentiality, integrity, and availability.

When submitting a High, Critical, and Extreme Severity bug report, please use the CVSS metrics linked here to assess the severity of your reported bug.

Bug Submission Process

To report a bug, follow these steps:

  1. Assess the severity of your reported bug.
    1. Low and Medium Severity → Skip to step 2
    2. High Severity
      1. Complete a bug severity assessment using the CVSS metrics linked here.
      2. Prepare a bug vulnerability report following these guidelines.
  2. Submit your bug report through this form.
    1. If your bug is High Severity, please include the vulnerability report and severity assessment in plain text.
  3. If your bug qualifies for a bounty, our team will be in touch.
Please note: Bug classification and rewards are at the discretion of the Creditcoin development team.

Bug Eligibility Criteria

In Scope

  1. An issue must be to be exploitable in an intended deployed environment and configuration or a simple but that does not lead to vulnerabilities as described in the section above.
  2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.
  3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component.
  4. If a bug isn't exploitable, it cannot receive a grading above Medium. (i.e. the difference between a bug that degrades UX versus a bug that creates a vulnerability)

Out of Scope

  1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc.
  2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy.
  3. Issues that are already being addressed publicly or privately by the responsible teams.
  4. Services and websites operated by third parties.
  5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.
  6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.
  7. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.
  8. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, etc.
  9. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.
  10. Issues raised around product or architecture deficiencies that are not immediately exploitable.
  11. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.

Ineligibility

  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities that have been released publicly prior to CreditCoin issuing a comprehensive fix.
  • Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
  • Vulnerabilities that require an improbable level of user interaction.
  • Suggestions on best practices.
  • Any report without an accompanying proof of concept exploit.

About Creditcoin

Creditcoin is the world’s leading real-world asset infrastructure chain, with over 3 million credit transactions recorded to-date. By matching borrowers, lenders and investors on-chain, the protocol is paving the way for a new generation of globally interoperable credit markets.

Having integrated with various fintech lenders and connecting them directly to global DeFi investors, the Creditcoin network has helped thousands of borrowers, businesses, and investors secure capital financing, build credit history, and make global RWA investments.

Website | Twitter | Discord | Medium | Youtube | Telegram(ANN) | Telegram(Community) | Whitepaper|Opensea