Published in



1. Introduction

ANIVERSE started the bug bounty program on the 24th with up to 3000 ANV to solve the ANIVERSE NFT bug problem.

Bug Bounty is a system that gives a bounty if a company finds vulnerabilities in its services and products.

The ANIVERSE bounty program is our way to reward security researchers for finding serious security vulnerabilities in ANIVERSE NFT Beta website, including our core application (all functionality associated with ANIVERSE NFT, particularly in NFT transaction) and ceratin ancillary applications in the early stage to enhance our security and provide safe services to users.

We look forward to working with all security researchers and strive to be respectful, always assume the best, and treat others as peers. We expect the same in return from all participants.

2. Scope

It targets vulnerabilities that occur in the website below.

3. Bounty Amount

3,000 ANV

Vulnerability Examples

1)Account Takeover: Authentification Bypass

2) Security Vulnerabilities

3) Stealing Access Token

4)Remote Code Execution

4. Excluded from the bounty

The following cases are excluded from the bounty.

-If the vulnerability is not reproduced at the time the bug report was received

-Even if the vulnerability is reproduced at the time of receiving the bug report if Naver is aware of the vulnerability

-For example, when the ANIVERSE service has not been modified due to the 1 Day vulnerability,

-In this case, the ANIVERSE security team provides a sufficient explanation to the reporter about how and when it was discovered inside.

-When server information is obtained through unnecessary actions other than vulnerability proof

-Vulnerabilities previously reported by others

-already publicly known vulnerabilities

-In case of presenting only possibilities without proof

-Denial-of-Service (DoS) attacks

-When too many user interventions are required

-If you turn off the security function and cause a vulnerability

-Vulnerabilities already reported elsewhere (other than KISA)

-URL Redirection


-Page tampering with error pages

-Security, CSP header related

-A replay of specific features of the service

-The vulnerability that affects only you (Self XSS, when you can attack only yourself by directly modifying packets)

-Exposing the server’s application information

-Stealing cookies due to not applying SSL

-Vulnerabilities that are judged to have no other security threats

5. Restrictions and Disclosure Policy

Restrictions and Disclosure Policy.

Please do not disclose detailed information about the vulnerability until the vulnerability is fixed and most users have updated it. However, vulnerabilities can be disclosed if permitted by the ANIVERSE security team.

Please refrain from actions that may cause harm to other users.

6. Report

We would appreciate it if you could leave a weakness in a medium comment. The report should include the following:

-Vulnerability name

-How to find vulnerabilities

-Code to reproduce the bug

-Services and domains encountered

-A description of how the vulnerability could pose a security threat

<ANIVERSE Official Links>

▶ Homepage:

▶ White-Paper:

▶ Twitter:

▶ Facebook:

▶ YouTube:

▶ Telegram Official Group:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


ANIVERSE is a ‘Contents Theme Park Platform’ for the world to enjoy