XDEFI Wallet Bug Bounty program
If you think you have identified a potential bug in the XDEFI Wallet Extension (Chrome web extension) or in app.xdefi.io please send an email to bugbounty@xdefi.io outlining the issue in sufficient detail. We will review your email, try to reproduce the issue and reply to you within 48 hours.
Rewards are based on severity per CVSS (Common Vulnerability Scoring Standard) and all reward decisions are at the sole discretion of XDEFI Technologies Ltd.
[Last updated: 29 May 2023]
Policy
XDEFI Technologies Ltd is delighted to be working with its community to find vulnerabilities in order to keep XDEFI Wallet and its users safe.
XDEFI Wallet is a non-custodial wallet that allows you to securely swap, store, and send crypto & NFTs across 30 blockchains.
Response Targets
- XDEFI Technologies Ltd will endeavour to meet the following SLAs (Service Level Agreements) for all bug reports that are submitted:
- Response times:
- First Response: 2 business days
- Time to Triage: 2 business days
- Time to Bounty: 14 business days
- Time to Resolution: varies according to severity and complexity
- Regular updates will be provided throughout the process.
Disclosure Policy
Please do not discuss any vulnerabilities (even resolved ones or potential ones) with anyone without the prior written consent of XDEFI Technologies Ltd.
Bug Bounty claim rules
Please provide detailed reports with clear, reproducible steps. If the report is not sufficiently clear or detailed for us to be able to reproduce the same issue, then it will not be eligible for a reward.
- Only submit one vulnerability per email (unless you need to chain or link vulnerabilities for impact).
- If we receive duplicated reports, we will only award the first report that was received (provided that it is sufficiently clear and detailed).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, smishing) is prohibited.
- Ensure that you avoid privacy violations, destruction of data, and interruption or degradation of XDEFI Wallet’s service.
- Only interact with accounts that you own (or where you have the account holder’s clear and express permission to do so).
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (I) attack scenario / exploitability, and (II) security impact of the bug. The following issues are considered out of scope:
- Any activity that could lead to the disruption of our service (DoS).
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Content spoofing and text injection issues without showing an attack vector and/or without being able to modify HTML/CSS.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Missing best practices in SSL/TLS configuration or in Content Security Policy.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Missing HttpOnly or Secure flags on cookies.
- Vulnerabilities only affecting users of outdated or unpatched browsers.
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Issues that require unlikely user interaction.
- Tabnabbing.
- Open redirect – unless an additional security impact can be demonstrated.
- xdefi.io website
Thank you for helping to keep XDEFI Wallet and our users safe!
[Last updated: 29 May 2023]