SMART VALOR Bug Bounty Program

The SMART VALOR team is making every effort to ensure security on our platform. To help us make the SMART VALOR Platform safer for our users, we heartily welcome security researchers, individuals or groups, to scrutinize the whole platform and report them to us. We will supervise a bug bounty program to advance constantly in this regards and to allow responsible identification and disclosure of reports with our security team.

We welcome all security and vulnerability reports on the SMART VALOR domain. The reporters shall be remunerated depending on the severity of the disclosed vulnerabilities. We wholeheartedly welcome disclosure of all issues. However, please note that qualification for compensation lies with bonafide security issues only. That this implies that the researcher should follow a responsible disclosure model and allow SMART VALOR equitable time to evaluate, fix and improve the vulnerability before details about it are made public should be apparent. We urge anyone researching vulnerabilities to transfer the information you find without an obligation to exploit the issues. Your fidelity to the practice of responsible disclosure is very much appreciated.

Testing Requirements

* Tests should be considered as black-box tests. The design/infrastructure/implementation of the website shall not be known to the tester.
* Do not include proof of concepts that are compromising with the accounts of others. These are subject to disqualification. Make attack attempts only on accounts you own or are under your control.
* Testing using social engineering techniques is not recommended.
* DDoS attacks are strictly forbidden. DoS attacks that are triggered by exploiting business logic is welcomed. DoS by server resources exhaustion will be outlawed.
* No automated tests must be initiated without proper notice to SMART VALOR.
* Security of hardware, offices and/or employees of SMART VALOR is outside the scope of the program.

Qualifying Vulnerabilities¹

* Cross Site Scripting (XSS)
* Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
* Authentication and Authorization Flaws
* Cross Site Request Forgery (CSRF)
* Remote Code Execution (RCE)
* Code injections (HTML, SQL, PHP, etc.)
* Insecure direct object references
* CORS
* Directory Traversal
* Privilege Escalation
* Stack traces or path disclosure
* DoS (ONLY ones that are triggered by abusing our business logic, not by server resources exhaustion)

Non-Qualifying Vulnerabilities¹

* Self XSS
* Missing cookie flags
* SSL/TLS best practices
* Mixed content warnings
* DDoS attacks (strictly forbidden)
* HTTP Host Header XSS
* Clickjacking/UI redressing
* Software version disclosure
* Physical or social engineering attempts
* Recently disclosed 0-day vulnerabilities
* Presence of autocomplete attribute on web forms
* Vulnerabilities affecting outdated browsers or platforms
* Issues that require physical access to a victim’s computer/device
* Logout and other instances of low-severity Cross-Site Request Forgery
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)

Eligibility requirements for monetary compensation

* Report should abide by the testing requirements and submission guidelines.
* You must be the first researcher to report the vulnerability of a kind.
* The vulnerability must address a bonafide security problem.
* Allow SMART VALOR equitable time to evaluate, fix and improve upon the vulnerability before details about it are made public.
* You should not access personal information, leak/manipulate/tamper user data or cause disruption of service.
* You must send us a proof of concept detailing the steps to reproduce the vulnerability. Include screenshots and codes, if and when necessary.
* You cannot be a current or former employee of SMART VALOR or our contractors/data processors.

Guidelines for submission and information handling

* Provide your name and contact information along with your submission.
* Allow SMART VALOR equitable time to evaluate, fix and improve upon the vulnerability before details about it are made public.
* The researcher should not access personal information, leak/manipulate/tamper user data or cause disruption of service.
* If need be, encrypt your findings using our PGP key and send them to security@smartvalor.com.
* Do not disclose any issues to the public, or to any third party unless SMART VALOR grants explicit permission.
* Do not disclose any report submitted towards or in regard to this program unless SMART VALOR grants explicit permission.
* It is recommended that any questions regarding the schedule of the program with respect to a report be asked on the report that is submitted.

Possible Awards

In addition to mentions on our Hall of Fame and a recommendation on your profile, SMART VALOR rewards the reports based on the severity of the vulnerabilities. The following is a compensation structure for reference.

Critical – up to 10,000 VALOR
Major – up to 1,000 VALOR
Minor – up to 100 VALOR
Trivial – up to 10 VALOR

Kindly note that SMART VALOR has the right to determine the severity level and modify the compensation model, as well as the right to decline or reject reports that do not meet the stated guidelines.

Note that all bounty VALORs are subject to a lock-up of 6 months.
For the latest price of the VALOR, visit: https://coinmarketcap.com/currencies/valor-token/

If you are a researcher participating in the SMART VALOR Bug Bounty program, please send your findings to security@smartvalor.com. Find our PGP key here. The fingerprint for the key is: F59B CF44 7182 0E45 B6A6 4C00 EE80 5449 C89B C811

¹ The classification has been defined as an example and should be used for your reference