Bug Bounty Overview

DeVol Product Program Terms

Last Updated September 07, 2023

Welcome to the DeVol Bug Bounty Program (the "Program"), where security takes center stage. With a relentless commitment to safeguarding the security, integrity, availability, and privacy of our services, we actively anticipate and counter evolving threats. We understand that the realm of security is ever-changing, and we collaborate closely with independent researchers while staying informed about the latest advancements. Embracing a proactive approach, we highly value user and community input, reserving funds to support our dedicated Program.

Find program details and participation guidelines below, ensuring eligibility under our Terms & Conditions (T&C). Participation in the Program is subject to compliance with our T&C.

Target in scope

• https://app.devol.network

NOTE: Any DeVol Network domain/property not listed in the Target in scope section is out of scope, this includes any/all subdomains not listed above.

How to access

To participate in the Program, follow these steps to access the DeVol Platform:

Account Access: Log in to the DeVol Platform service using your registered account credentials.

Communication: All correspondence will be directed to the email address linked with your account. Make sure to monitor this email inbox regularly.

Important Note: If you discover a vulnerability, promptly file a submission. Our dedicated security team will initiate an investigation to evaluate the potential impact of the vulnerability.

Focus Areas

• User Data/ User Information Leaks

• Smart Contract Exploits (Solana)

• Injection attacks (Server/Client side)

• RCE (Remote Code Execution)

• Privilege escalation (Vertical/Horizontal)

Reward Range

Rules of engagement

We welcome your contribution to enhancing the security of the Production/Dev DeVol Platform environments. To maintain a collaborative and secure testing environment, we kindly request that you refrain from the following actions:

• Prior Authorization for Automated Scans: Avoid initiating automated scans without obtaining explicit approval from us first. If you intend to use automated testing tools, ensure your requests remain well below the threshold of 75-100 requests per second. Exceeding this limit may lead to unintended lockouts.

• Exploit Usage Guidelines: Refrain from deploying full-fledged exploits that may result in application crashes or compromise the stability of our active services. Should you discover a severe exploit that requires immediate attention, please contact us at bugs@devol.network. We'll provide you with a duplicate instance of the affected service for validation.

• Exclusion of Social Engineering Techniques: Do not employ social engineering methods such as phishing or vishing during testing.

• Testing Against Customer Accounts: Testing against any form of customer account is strictly prohibited without explicit permission granted by our team.

• Preservation of Customer Assets: Under no circumstances should you access, damage, or negatively impact residential or business customers, including any associated customer data.

• Avoid DoS or DDoS Attacks: We strongly discourage the execution of Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. Application-level, network-level DoS/DDoS, or port flooding attacks can adversely affect service delivery to our users and are not within the scope of appreciated testing methodologies.

• Physical Security Evaluation: Do not attempt to evaluate the physical security of DeVol offices, employees, equipment, or related assets.

• Prohibition of User Attack: It is strictly forbidden to target or compromise our end users or engage in the trade of stolen user credentials.

• Non-Interaction with Real Customers: Refrain from any form of interaction with real customers or their accounts during testing.

Thank you for your understanding and cooperation in ensuring the smooth progress of our Program while upholding the security and integrity of our services.

Rules of reporting

We greatly value the integrity of our internal processes and workflows. Our dedicated security team is committed to continuous testing and vigilance, so when submitting your reports, please adhere to the following guidelines. Failure to do so may result in disqualification from our Program Bounty. If you come across a Severe or Critical Vulnerability, we request that you encrypt your emails.

• Exclusive Reporting Channel: Kindly direct your reports solely to bugs@devol.network. Avoid copying or tagging other staff members in your communication.

• Confidentiality and Communication: Refrain from discussing or disclosing Vulnerabilities on social media or through blog posts, either before or after reporting. Any such actions may lead to potential legal consequences.

• Limited Communication: Limit your discussions to DeVol's technical staff only. Please avoid sharing information about identified Vulnerabilities with others.

• Report Format: When possible, avoid sharing direct links, executables, or scripts in your report. Instead, attach a text file or PDF outlining your findings.

• Media Formats: Screenshots should be submitted in PNG, BMP, or TIFF formats, while Proof of Concept (POC) videos are accepted in MP4, AVI, WEBM, and MOV formats. These limitations are in place for internal security reasons.

• Single Point of Contact: All reports, without exception, should be directed to bugs@devol.network.

Your adherence to these reporting rules contributes to a streamlined and secure Program operation. Thank you for your cooperation and understanding as we collectively work to enhance the security of our services.

Recommended reporting format

Effective communication of Vulnerabilities ensures swift and accurate assessment. When submitting your reports, please use the following structured format:

• Summary: Begin with a concise overview of the Vulnerability. For instance: "Hello, I have identified an 'x' issue on your server."

• Target: Clearly specify the Vulnerable domain name or subdomain name. For example: "Vulnerable target: so and so on https://example.devol.network."

• Vulnerability Details: Elaborate on the nature of the bug or Vulnerability, and provide the URL or location where the Vulnerability can be observed. For instance: "The Vulnerability stems from unfiltered characters in the URL [/search.php?q=], specifically on the path /search.php within the 'q' parameter."

• Description of Technical Severity: Offer a detailed technical explanation of the Vulnerability, outlining its nature and potential impact. For example: "The client-side executes JavaScript rendered through /search.php?q=somescript, posing a risk of unauthorized code execution."

• Recreation: Provide step-by-step replication instructions or a proof of concept to help us recreate the issue. For instance: "To reproduce, follow these steps which our team can use:..."

• Additional Information: Include relevant details such as Request and Response dumps, trace dumps, or HTTP requests that could aid in better understanding and validation.

• Attachments (Recommended): Whenever possible, attach supporting materials such as proof-of-concept scripts, screenshots, or screen recordings to enhance clarity.

Your adherence to this structured reporting format greatly assists our security team in efficiently identifying, understanding, and addressing reported Vulnerabilities. Thank you for your commitment to helping us maintain a secure platform.

Ineligibility Criteria

Certain issues fall beyond the scope of Program and are not eligible for rewards. Please note that the following categories of Vulnerabilities will be considered out of scope:

• WordPress/2FA Related Bugs: Vulnerabilities pertaining to WordPress or Two-Factor Authentication are not within the scope of this program.

• Theoretical Vulnerabilities: Issues lacking actual proof of concept will be considered theoretical and ineligible for rewards.

• Open Redirects/Lack of Security Speed Bump: Vulnerabilities like open redirects or absence of security measures when leaving the site will not be rewarded.

• Internal IP Address/Version Disclosure: Reports regarding internal IP addresses or version disclosures will be considered out of scope.

• Email Verification Deficiencies: Problems like email verification flaws, password reset link expiration, and password complexity policies are not eligible for rewards.

• SPF Records: Reports on invalid, incomplete, or missing SPF, DKIM, or DMARC records are not rewardable.

• Minimal Security Impact: Vulnerabilities such as clickjacking/UI redressing with minimal security impact or text/code injection without impact will not be rewarded.

• Email/Mobile Enumeration: Issues like email or mobile enumeration, which solely identify emails through password reset, are not within the scope.

• Information Disclosure: Reports related to minimal security impact information disclosure (e.g., stack traces, path disclosure, directory listings, logs) are not eligible.

• Known or Duplicate Issues: Internally known, duplicate, or publicly disclosed issues are considered out of scope.

• Rate Limiting/Tab-nabbing: Rate limiting issues and tab-nabbing Vulnerabilities are ineligible for rewards.

• Non-URL Selfless/HTMLi: Non-URL Selfless and HTML injection without significant security impact are not within the scope.

• Known CVEs: Vulnerabilities related to known Common Vulnerabilities and Exposures (CVEs) without proper testing are not eligible.

• Out-of-Date Platforms: Vulnerabilities only exploitable on outdated browsers or platforms will not be rewarded.

• CSRF with Limited Impact: CSRF issues without significant impact on account integrity (e.g., log in/out, publicly accessible forms) are out of scope.

• Auto-fill Web Forms: Vulnerabilities related to auto-fill web forms are not within the scope.

• Known Vulnerable Libraries: Issues involving known Vulnerable libraries without an actual proof of concept are not eligible.

• Lack of Security Flags in Cookies: Missing security flags in cookies are considered ineligible.

• SSL/TLS Issues: Vulnerabilities related to unsafe SSL/TLS cipher suites or protocol versions are out of scope.

• Session/Cookie/Content Spoofing: Session expiry, cookie issues, and content spoofing Vulnerabilities are not within the scope.

• Cache-Control Issues: Vulnerabilities related to cache-control are not eligible.

• Missing Security Headers: Absence of security headers that do not lead to direct exploitation is considered out of scope.

• CSRF with Negligible Impact: CSRF Vulnerabilities with negligible security impact (e.g., non-critical feature interactions) are not rewardable.

• Root/Jailbreak Requirements: Vulnerabilities requiring root/jailbreak are not eligible.

• Physical Access Requirements: Vulnerabilities requiring physical access to a user's device are considered out of scope.

• No Security Impact: Issues with no security impact, like failure to load a web page, are ineligible.

• Phishing: Phishing activities, including HTTP Basic Authentication Phishing, are not within the scope.

• Service Disruption: Any activity causing service disruption, such as DoS/DDoS attacks, will not be rewarded.

• Installation Path Permissions: Vulnerabilities related to installation path permissions are considered ineligible.

• Automated Tool/Scan Reports: Reports generated by automated tools or scans are not eligible for rewards.

Please be mindful that non-compliance with any of the above rules will result in disqualification from our Program and eligibility for a Bounty. Thank you for your understanding and cooperation.

If you have any doubts related to your submissions, please feel free to email bugs@devol.network or read the T&C.