rhino.fi Bug Bounty
Earn over $30,000 by responsibly reporting security issues
Impact
Keeping our platform and our users safe is a high priority for us at rhino.fi and we recognise the importance of engaging with security researchers and the community. To incentivise the responsible disclosure of any security issues or vulnerabilities discovered, our bug bounty program exists to provide a framework for rewarding such efforts.
Severities and rewards
We use a system based on the Common Vulnerability Scoring System (CVSS) to determine the classification of any issues reported to us. When classifying the severity of the issue, we take into account factors such as how exploitable and complex the vulnerability is, privilege required and degree of user interactivity required to be successful. In addition, the impact or risk posed by a vulnerability is assessed by the scope of a potential attack and whether it would constitute a breach of confidentiality, integrity or availability of our systems.
How our bug bounties are categorised
- No threat - $0
- Low - $30-50
- Medium - $500-5,000
- High - $5,000-30,000
- Critical - $30,000+
Note: We have not set a maximum reward for the reporting of security vulnerabilities. So we may increase the value of rewards based on the severity of the vulnerability discovered.
The dos and don’ts
| You must | You must not |
|---|---|
| Make a good faith effort to avoid accessing sensitive data, destroying data or degrading our systems. | Engage in Denial of Service attacks. |
| Only submit each issue once (multiple submissions are only encouraged when multiple issues are discovered). | Exploit any discovered vulnerability in any way, including by making it public. |
| Avoid using scanners or automated tools to find vulnerabilities (these will likely lead to a ban on your IP address). | Publicly disclose any vulnerabilities if they have not yet been resolved or you haven’t received our explicit consent. |
| Attempt non-technical attacks, such as phishing or social engineering, against our employees, users or infrastructure. |
What is the scope of the bug bounty programme?
- app.rhino.fi
- api.rhino.fi
- http://github.com/rhinofi/dvf-client-js
- https://github.com/rhinofi/contracts_public
How can I disclose?
When disclosing security breaches, please use the address [email protected].
We will review all submissions in detail and follow up directly with you as part of the review process.
Once we have determined that you have found an eligible security issue and classified it, we will give you recognition for your work (if you so wish), set a date for when information may be publicly disclosed and allow you to claim your reward.
Please include a valid Proof-of-Concept along with the disclosure. The reward amount may be reduced significantly without an illustrative PoC.
If you want more information about the programme, please check out our blog post here.
