Details about Treejer's green bug bounty will be shared here soon
Participating in our security bounty program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:
- Don't download, modify, or destroy other users' data.
- Don't cause a denial-of-service on our platform through exploits, vulnerabilities, traffic, or causing issues with our technology providers.
- Don't repeatedly request updates on your reports. Treejer is a small team and constant requests for updates can render your report ineligible. Allow us up to 7 days to respond to your emails.
- Do only use your own account to test issues in production. You can also download our open source code and run your own instance to research and test for vulnerabilities.
- Social engineering attacks, DDOS, physical access, spearfishing, etc. are not eligible.
- Payouts will be made to the first individuals who submit a report.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- The only domain eligible for the bounty program is https://treejer.com - no subdomains, related services, etc. are within the scope of the program. Vulnerabilities found in support services (ex: Forum, Blog, etc.) are not eligible.
The Treejer team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production
- any subdomain of *.treejer.com
- In-browser chat applications
- SGX-related issues or vulnerabilities
- Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)
- OS-related vulnerabilities
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Email or DNS configurations
- Site or domain configuration
- Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Vulnerabilities should be disclosed directly to the Treejer team by emailing - reports should not be made publically or to any third party. These communications must remain confidential to be eligible.
Threats, ransom demands, unprofessional language, etc. of any kind will automatically disqualify you from participating in the program.
We plant trees for any bugs found! The NFTs of these (regular) trees will be sent to the wallet address of the person who submits the bug.
Found a bug but not interested in trees? Let us know when you submit the bug.