The ETERBASE Bug Bounty program is open to the public. Any security researcher can take part and report potential security vulnerabilities in the ETERBASE products.
Bug Bounty Reports should be related only to our key services:
- ETERBASE Web Site: https://eterbase.com
- ETERBASE Exchange: https://eterbase.exchange
- ETERBASE API: https://api.eterbase.exchange
- EURBASE Web Site: http://www.eurbase.com
The following findings are non-rewardable:
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users
- Login or Forgot Password page brute force and account lockout not enforced
- Username/email enumeration via Login Page and/or Forgot Password error message
- Logout Cross-Site Request Forgery (logout CSRF)
- Missing HTTP security headers:
- Misconfigured or lack of SPF records
- Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues)
- Failure to invalidate session on password change or MFA change
- OPTIONS HTTP method enabled
- Self XSS
- Descriptive error messages (such as application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Disclosure of known public files or directories (such as robots.txt)
- Vulnerabilities related to non-implemented functionalities (such as session invalidation, etc.)
Any external services used as part of our eco-system are out of scope for the Bug Bounty program, as we are using these external services on the consumer level.
Key requirements for Bug Bounty Reports are:
- Your contact information (name and email)
- Bug description
- Steps to reproduce
- URL related to your finding
- Any attachments (document, image or short video)
ETERBASE Security Team is responsible for the evaluation of each reported bug record and can take up to 14 days to contact the Bug Reporter regarding more details or provide feedback about related rewards.
Please be aware that we will reward the same issue only once. The reward is valid only for the 1st Bug Reporter that will report a specific issue/bug. Our Security team will evaluate each report (bug), compare that with our existing backlog, and inform Bug Reported about the final result.
Reward amounts for Security Vulnerabilities
|Category / Severity||Critical||High||Medium||Low|
|Remote code execution||200||150||100||n/a|
|Unrestricted file system or database access||150||100||80||n/a|
|Logic flaw bugs leaking or bypassing significant security controls||120||100||80||60|
|Execute code on the client-side||100||80||60||45|
|Other valid security vulnerabilities||60||45||30||20|
All values listed above in the table are in Eterbase Utility Token (XBASE).
The Bug Bounty reward for valid report/vulnerability will be deposit after approval from ETERBASE Client Information and Security Officer to Bug Reporter, which must have a valid account on ETERBASE Exchange. We are not sending rewards to any external ETH addresses out of ETERBASE Exchange. Reward can't be paid in any other asset, except Eterbase Utility Token (XBASE). We are not providing a reward payment in FIAT (EUR/USD).
Submit your finding via our contact form.
Thanks for your support and let's try to hack us! :)