Technical Overview

Bug Bounty Program 🌳

4min

Details about Treejer's green bug bounty will be shared here soon
Guidelines
Participating in our security bounty program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:
Don't download, modify, or destroy other users' data.
Don't cause a denial-of-service on our platform through exploits, vulnerabilities, traffic, or causing issues with our technology providers.
Don't repeatedly request updates on your reports. Treejer is a small team and constant requests for updates can render your report ineligible. Allow us up to 7 days to respond to your emails.
Do only use your own account to test issues in production. You can also download our open source code and run your own instance to research and test for vulnerabilities.
Social engineering attacks, DDOS, physical access, spearfishing, etc. are not eligible.
Payouts will be made to the first individuals who submit a report.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
The only domain eligible for the bounty program is https://treejer.com - no subdomains, related services, etc. are within the scope of the program. Vulnerabilities found in support services (ex: Forum, Blog, etc.) are not eligible.
The Treejer team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production
any subdomain of *.treejer.com
In-browser chat applications
SGX-related issues or vulnerabilities
Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)
OS-related vulnerabilities
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Email or DNS configurations
Site or domain configuration
Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Communication
Vulnerabilities should be disclosed directly to the Treejer team by emailing security@treejer.com - reports should not be made publically or to any third party. These communications must remain confidential to be eligible.
Threats, ransom demands, unprofessional language, etc. of any kind will automatically disqualify you from participating in the program.
Bounty table 
We plant trees for any bugs found! The NFTs of these (regular) trees will be sent to the wallet address of the person who submits the bug.
Bug Severity
Number of Trees We Plant
Low
50
🌳
Medium
100
🌳🌳
High
500
🌳🌳🌳🌳🌳
Critical
1000
🌳🌳🌳🌳🌳🌳🌳🌳🌳🌳
Found a bug but not interested in trees? Let us know when you submit the bug.
﻿