Technical Overview
Bug Bounty Program š³
4min
details about treejer's green bug bounty will be shared here soon guidelines participating in our security bounty program requires you to follow our guidelines responsible investigation and reporting includes, but not limited to the following don't download, modify, or destroy other users' data don't cause a denial of service on our platform through exploits, vulnerabilities, traffic, or causing issues with our technology providers don't repeatedly request updates on your reports treejer is a small team and constant requests for updates can render your report ineligible allow us up to 7 days to respond to your emails do only use your own account to test issues in production you can also download our open source code and run your own instance to research and test for vulnerabilities social engineering attacks, ddos, physical access, spearfishing, etc are not eligible payouts will be made to the first individuals who submit a report submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact multiple vulnerabilities caused by one underlying issue will be awarded one bounty the only domain eligible for the bounty program is https //treejer com no subdomains, related services, etc are within the scope of the program vulnerabilities found in support services (ex forum, blog, etc ) are not eligible the treejer team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc out of scope vulnerabilities when reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug the following issues are considered out of scope mentions of secrets, access tokens, api keys, private keys, etc in github, will be considered out of scope without proof that they are in use in production any subdomain of treejer com in browser chat applications sgx related issues or vulnerabilities issues/bugs/vulnerabilities specific to the given ethereum client (geth or parity) os related vulnerabilities clickjacking on pages with no sensitive actions unauthenticated/logout/login csrf attacks requiring mitm or physical access to a user's device previously known vulnerable libraries without a working proof of concept comma separated values (csv) injection without demonstrating a vulnerability missing best practices in ssl/tls configuration email or dns configurations site or domain configuration any activity that could lead to the disruption of our service (dos; please set up pocs on a private chain) content spoofing and text injection issues without showing an attack vector/without being able to modify html/css communication vulnerabilities should be disclosed directly to the treejer team by emailing security\@treejer com reports should not be made publically or to any third party these communications must remain confidential to be eligible threats, ransom demands, unprofessional language, etc of any kind will automatically disqualify you from participating in the program bounty table we plant trees for any bugs found! the nfts of these (regular) trees will be sent to the wallet address of the person who submits the bug bug severity number of trees we plant low 50 š³ medium 100 š³š³ high 500 š³š³š³š³š³ critical 1000 š³š³š³š³š³š³š³š³š³š³ found a bug but not interested in trees? let us know when you submit the bug