Dipper Wallet bug bounty program

Dipper Network
4 min readDec 8, 2020

--

Security is always the top priority in the field of digital wallets. In order to create a safe and reliable product for users, Dipper Network links Dipper Netowork to facilitate users to jointly govern the network based on wallets. We hope that more excellent developers in the blockchain community , Enthusiasts can participate, and for those who can discover the loopholes in Dipper Wallet, the Dipper Network project will have generous rewards in return.

Focus on issues:
1. All UI/UX bugs;
2. Vulnerabilities that can steal or cause asset loss;
3. Defects in algorithm implementation, including Keystore, Wallet Generation, Transaction Signature, etc.
4. Logical code vulnerabilities related to the chain;
5. Vulnerabilities in the wallet application layer;
6. App denial of service vulnerabilities, such as app crashes, etc.;
7. Unsafe or non-standard code implementation;
8. Vulnerability information about the referenced third-party library.

Business Scope
Dipper Wallet(Adnorid), download link: http://fir.highstreet.top/dipperwallettest
Dipper Wallet (iOS), download link: https://testflight.apple.com/join/80C8CMsO
*TestFlight needs to be downloaded for iOS.

Processing flow
Reporting stage:
1) Issue report via WeChat weixinghjw;
2) Via https://github.com/Dipper-Labs/Dipper-Wallet-iOS/issues
Submit template:
Vulnerability name, vulnerability platform type (IOS, ANDROID), discovery time, damage level, vulnerability details, vulnerability pictures and videos
Processing stage: 1–3 working days, the staff will confirm the problem and deal with the problem.
Repair stage: Fix the problem according to the difficulty and give a reply within 1–7 working days.

Reward standard

The final reward depends on the severity of the vulnerability and the actual impact of the vulnerability. The values ​​in the table are the highest rewards of each level;

Serious vulnerability
Serious vulnerabilities are those that occur in the core system business system (core control system, domain control, business distribution system, fortress and other control systems that can manage a large number of systems), which can cause a large area of ​​impact, and obtain a large number (as appropriate based on actual conditions) Limited) Business system control authority, access to core system manager authority and control of core system.
including but not limited to:
Intranet multiple machine control
The core back-end super administrator has the authority to obtain and cause a large-scale enterprise core data leakage, which can have a huge impact
Smart contract overflow, conditional competition loopholes
High-risk vulnerabilities
System access (getshell, command execution, etc.)
System SQL injection (back-end vulnerabilities are downgraded, packaged and submitted as appropriate)
Unauthorized access to sensitive information. Including but not limited to bypassing authentication and directly accessing the management background, important background weak passwords, SSRF that obtains a large amount of sensitive information on the intranet, etc.)
Read any file
XXE vulnerability to obtain arbitrary information
Involving ultra vires operation of money, bypassing payment logic (requires final use to succeed)
Serious logic design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
Other vulnerabilities that affect users on a large scale. Including but not limited to stored XSS that can be automatically propagated on important pages, stored XSS that can obtain administrator authentication information and successfully use, etc.
A large number of source code leaks
Smart contract permission control defects

Mid-risk vulnerability
Vulnerabilities that require interaction to affect users. Including but not limited to storage XSS for general pages, CSRF for core business, etc.
Ordinary unauthorized operation. Including but not limited to bypassing restrictions to modify user information, perform user operations, etc.
Denial of service vulnerability. Including but not limited to remote denial of service vulnerabilities that cause website application denial of service, etc.
Vulnerabilities caused by successful blasting of sensitive system operations such as arbitrary account login and arbitrary password retrieval due to verification code logic
The sensitive authentication key information stored locally is leaked, and effective use must be made

Low-risk vulnerabilities
Local denial of service vulnerability. Including but not limited to local denial of service on the client side (parse file format, network protocol crashes), problems caused by the exposure of Android component permissions, ordinary application permissions, etc.
Common information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
Reflective XSS (including DOM XSS / Flash XSS)
Normal CSRF
URL jump vulnerability
SMS bomb, mail bomb (each system only accepts one vulnerability of this type)
Other vulnerabilities that are less harmful and cannot be proven harmful (such as CORS vulnerabilities where sensitive information cannot be obtained)
Successful SSRF without echo and without deep use
SPF mail forgery vulnerability
Types of vulnerabilities not currently charged
Interface brute force blasting of registered user name vulnerabilities
Self-XSS
CSRF issues for non-sensitive operations
Separate Android APP android:allowBackup=”true” issues, local denial of service issues, etc. (except for in-depth exploitation)
Slow request caused by modifying the image size
Nginx/Tomcat and other version leaks
Some functions are BUG, ​​which cannot cause security risks

--

--

Dipper Network
Dipper Network

Written by Dipper Network

A complete basic financial agreement with the combination of cross-chain and open finance (DeFi), it is constructed to create a cross-chain financial center