BW is committed to provide the most secure platform for users. We are well aware of the important role of external security researchers and developers play in maintaining the security of the community. On 16 October 2020, we hereby release the BW BUG Bounty Program. BW welcomes to submit the BUG report to this email: email@example.com.
Vulnerability level Recommended reward:
High risk: 100-300 USDT
Medium risk: 30-100 USDT
Low risk: 10-30 USDT
Vulnerability level description
Vulnerability levels are classified into three levels: [high-risk], [medium-risk], and [low-risk].
Vulnerability Rating Taxonomy is as follow:
The base score is 60-100. High-risk included but not limited to:
- Permissions to directly obtain system permissions (server permissions, client permissions), included but not limited to remote command execution, arbitrary code execution, upload to obtain Webshel, SQL injection to obtain system permissions and other vulnerabilities.
- Directly leading to denial-of-service breakthroughs in important services, included but not limited to directly leading to API service denial of service, website application denial of service, and other remote denial of service vulnerabilities that have severe impacts
- Important sensitive information leakage, including but not limited to SQL injection vulnerabilities in important business databases, can obtain sensitive information interference caused by interface problems such as large amounts of core business data.
- Severe logical design flaws and process flaws, included but not limited to batch modification of arbitrary account password cracking, logical breakthroughs involving core business, etc.
- Unauthorized access to sensitive information, including but not limited to bypassing authentication and directly accessing the management background, weak passwords in important background, and server-side request forgery (SSRF) intrusions that obtain a large amount of sensitive information on the intranet.
- Sensitive operations of enterprise's important business beyond authority, including but not limited to account overriding authority to modify important information, modification of important business configuration, etc.
- Other intrusions affecting users on a large scale, including but not limited to breakthroughs in stored cross-site scripting attacks (including stored DOM-XSS) that can cause important pages to be automatically propagated.
The base score is 30-50, and the medium-risk included but not limited to:
- Vulnerabilities that affect users by interaction parties, including but not limited to cross-site scripting vulnerabilities in storage types for general pages, cross-site request forgery (CSRF) intrusions involving core business, etc.
- Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information, perform user operations, etc.
- Common logic design flaws and process flaws, including but not limited to unlimited SMS sending, registration of any mobile email address, etc.
The base score is 10-20, and the reward coefficient can be 0. Low risk included but not limited to
- Local Denial of Service Vulnerabilities, including but not limited to client local denial of service (parsing file formats, crashes caused by network protocols), and issues caused by Android component permissions exposure, common application permissions, etc.
- General information leakage, including but not limited to client-side plaintext storage passwords, web path traversal, system path traversal intrusion, etc.
- Other vulnerabilities with minimal harm, included but not limited to reflective cross-site scripting vulnerabilities (including reflective DOM-XSS), common cross-site request forgery (CSRF), URL extension vulnerabilities, etc.
- BWonly rewards first bug finder who submitted and get verified. Similar reports will not receive rewards, but BW will reply to users to explain the situation;
- In the process of vulnerability report processing, if the reporter has any objection to processing, vulnerability rating, vulnerability scoring, etc., they can contact us by email.
- Reward distribution: Reward distribution will be issued within 1 week after the vulnerability report is verified, which can be viewed in BWAccount; Rewards will be issued in the form of USDT;
- The right of final interpretation reserves by BW;
Official website: www.bw.com | www.bw.io
Download BW APP: https://www.bw.io/appDownload
BW, Bit World, Better World
Oct 16, 2020