ANIVERSE NFT Bug Bounty
ANIVERSE started the bug bounty program on the 24th with up to 3000 ANV to solve the ANIVERSE NFT bug problem.
Bug Bounty is a system that gives a bounty if a company finds vulnerabilities in its services and products.
The ANIVERSE bounty program is our way to reward security researchers for finding serious security vulnerabilities in ANIVERSE NFT Beta website, including our core application (all functionality associated with ANIVERSE NFT, particularly in NFT transaction) and ceratin ancillary applications in the early stage to enhance our security and provide safe services to users.
We look forward to working with all security researchers and strive to be respectful, always assume the best, and treat others as peers. We expect the same in return from all participants.
It targets vulnerabilities that occur in the website below.
3. Bounty Amount
1)Account Takeover: Authentification Bypass
2) Security Vulnerabilities
3) Stealing Access Token
4)Remote Code Execution
4. Excluded from the bounty
The following cases are excluded from the bounty.
-If the vulnerability is not reproduced at the time the bug report was received
-Even if the vulnerability is reproduced at the time of receiving the bug report if Naver is aware of the vulnerability
-For example, when the ANIVERSE service has not been modified due to the 1 Day vulnerability,
-In this case, the ANIVERSE security team provides a sufficient explanation to the reporter about how and when it was discovered inside.
-When server information is obtained through unnecessary actions other than vulnerability proof
-Vulnerabilities previously reported by others
-already publicly known vulnerabilities
-In case of presenting only possibilities without proof
-Denial-of-Service (DoS) attacks
-When too many user interventions are required
-If you turn off the security function and cause a vulnerability
-Vulnerabilities already reported elsewhere (other than KISA)
-Page tampering with error pages
-Security, CSP header related
-A replay of specific features of the service
-The vulnerability that affects only you (Self XSS, when you can attack only yourself by directly modifying packets)
-Exposing the server’s application information
-Stealing cookies due to not applying SSL
-Vulnerabilities that are judged to have no other security threats
5. Restrictions and Disclosure Policy
Restrictions and Disclosure Policy.
Please do not disclose detailed information about the vulnerability until the vulnerability is fixed and most users have updated it. However, vulnerabilities can be disclosed if permitted by the ANIVERSE security team.
Please refrain from actions that may cause harm to other users.
We would appreciate it if you could leave a weakness in a medium comment. The report should include the following:
-How to find vulnerabilities
-Code to reproduce the bug
-Services and domains encountered
-A description of how the vulnerability could pose a security threat