The Routescan team will only respond to valid submissions. Any submission that is out of scope or not relevant will not be processed.
Guidelines
We ask that all researchers:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Use the identified communication channels to report vulnerability information to us
Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Routescan until we’ve resolve the issue
Provide us with at least 7 working days to investigate the issue and revert back to you
If you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:
Recognize your contribution on Routescan.io
Reward you with a bounty (up to a maximum of $2500 paid out per month):
$1000-$3000 in crypto equivalent if you identified a vulnerability that presented a critical risk *
$500 in crypto equivalent if you identified a vulnerability that presented a high risk *
$250 in crypto equivalent if you identified a vulnerability that presented a moderate risk *
$0 in crypto equivalent if you identified a vulnerability that presented a low risk *
Entry in Hall of Fame Only, If there was in fact no or low risk vulnerability, but we still made a code or configuration change nonetheless
Researcher will provide us with a wallet address based on the reported explorer for the payout within 7 days after we have resolved the issue.
* vulnerability level will be determined at our discretion
** in the event the vulnerabilty exists in multiple explorers, only the reported explorer is entitled to the rewards
We are interested in the following vulnerabilities:
Business logic issues
Remote code execution (RCE)
Database vulnerability, SQLi
File inclusions (Local & Remote)
Access Control Issues (IDOR, Privilege Escalation, etc)
Leakage of sensitive information
Server-Side Request Forgery (SSRF)
Other vulnerability with a clear potential loss
Out of scope
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold
Visual typos, spelling mistakes, etc
Findings derived primarily from social engineering (e.g. phishing, etc)
Findings from applications or systems not listed in the ‘Scope’ section
UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
Network level Denial of Service (DoS/DDoS) vulnerabilities
Certificates/TLS/SSL related issues
DNS issues (i.e. MX records, SPF records, etc.)
Server configuration issues (i.e., open ports, TLS, etc.)
Spam or Social Engineering techniques
Security bugs in third-party applications or services
XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
Login/Logout CSRF-XSS
https/ssl or server-info disclosure related issues
https Mixed Content Scripts
Brute Force attacks
Best practices concerns
Recently (less than 30 days) disclosed 0day vulnerabilities
Username/email enumeration via Login/Forgot Password Page error messages
Missing HTTP security headers
Weak password policy
HTML injection
How to Report a Security Vulnerability
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
Your name/handle and a link for recognition in our Hall of Fame (twitter, reddit, facebook, hackerone, etc)
List down the affected explorer(s)
Submit your full report via our Interactive Support Hub chat icon at the bottom right corner of this page.