Announcing the imToken 2.0 Bug Bounty Program

We are announcing the imToken 2.0 Bug Bounty Program in cooperation with SlowMist.

Security is always the top priority in the field of digital wallets. In order to create a safe and reliable product for users, we launch the “imToken Security Vulnerability and Threat Intelligence Bounty Program” (in other words, a bug bounty program) in conjunction with the SlowMist Team. We would like to shout out to excellent developers and enthusiasts to participate. For those who find vulnerabilities, imToken and SlowMist have generous rewards in return.

SlowMist has made an announcement with comprehensive information on the program and we will be adapting the same announcement below, see the full announcement on there website here.

Credits to the SlowMist Team

Scope of imToken’s Business

• imToken App, obtains the address https://token.im/download;
• imToken related Web platform: *.token.im、*.consenlabs.com;
• imToken mailbox, server, etc;
• TFT smart contract.

Processing Flow

Reporting Stage

The reporter visits the website of “SlowMist Zone” and enters the page of “Submit Bug Bounty” (URL：https://slowmist.io/en/bug-bounty.html) to submit threat intelligence (Status: to be audited).

Processing Stage

1. Within one working day, the SlowMist Security Team will confirm that the threat intelligence report received by the “SlowMist Zone” and follow up the evaluation of the problem, and meanwhile feed the intelligence back to the contact person of imToken (Status: under review).
2. Within three working days, the imToken technical team will deal with the problem, draw conclusions and score points (Status: confirmed/ignored). Communicate and confirm with the reporter if necessary, and ask the reporter for assistance.

Repairing Stage

1. The imToken business department shall restore the feedback security problems in the threat intelligence and arrange the updates and online (Status: repaired). The repairing time depends on the severity of the problem and the difficulty of the repair. Generally speaking, within 24 hours for the critical and high risk problems, within 3 working days for the medium-risk problems, and within 7 working days for the low-risk problems. The App security issue is limited by the version release, and the repairing time is determined according to the actual situation.
2. The reporter will review whether the security problem has been repaired (Status: reviewed/reviewed with objection).
3. After the reporter has confirmed that the security problem had been repaired, the imToken technical team would inform the treatment conclusion and the vulnerability score to the SlowMist Security Team and issue rewards with the SlowMist Security Team (Status: it’s over).

Vulnerability Level and Reward Standards

*SLOWMIST is Ethereum ERC20 Token, the ecological incentive token for the SlowMist Zone.

Critical Vulnerabilities

The critical vulnerability refers to the vulnerability occurs in the business system of the core system (the core control system, field control, business distribution system, fortress machine and other control system which can manage a large number of systems), which can cause a large area of impact, access to a large number of (to be limited subject to actual situation) business systems control authorities, access to the authority of the core system management personnel and can control the core system.

Including but not limited to:

• Multiple machine control in the internal network.
• Acquisition of super administrator authority of the core backstage, which can cause a large range of core data leakage in the enterprise and cause huge impact.
• Smart contract overflow and conditional competition vulnerability.

High-risk Vulnerabilities

• Access to system authority (getshell, command execution, etc.);
• SQL injection of the system (background vulnerability degradation, package submission and promotion as appropriate);
• The unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, weak passwords of important background, and to obtain SSRF of a large amount of sensitive information of the internal network, etc.);
• Arbitrarily document reading;
• XXE vulnerability that can obtain any information;
• Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized);
• Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, vulnerability of batch modification to any account password, logic vulnerability involving enterprise core business, etc., except for verification code explosion;
• Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated for the important pages, and the storage XSS that can obtain manager authentication information and can be successfully utilized;
• Leakage of a lot of source codes;
• The control defects of the smart contract authority.

Medium-risk Vulnerabilities

• The vulnerability that can affect the user by the interaction part. Including but not limited to the storage XSS of the general page, CSRF involving core business, etc;
• General unauthorized operation. This includes, but is not limited to modify user data and perform user operation by bypassing restrictions;
• Denial-of-service vulnerabilities. This includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of website applications;
• The vulnerabilities that are caused by a successful explosion with the system sensitive operation, such as any account login and any password retrieval, etc. which are caused by the verification code logic;
• The leakage of sensitive authentication key information that is stored locally, needs to be able to used effectively.

Low-risk Vulnerabilities

• Local denial-of-service vulnerabilities. Including but not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component authority exposure, common application authority, and so on;
• General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc;
• Reflective type XSS (including DOM XSS/Flash XSS);
• Ordinary CSRF;
• URL skip vulnerability;
• SMS bombs, mail bombs (each system receives only one type of the vulnerability);
• Other vulnerabilities that are less harmful and cannot be proven to be harmful (such as CORS vulnerability that cannot access sensitive information);
• No return value and no in-depth utilization of successful SSRF.

The xianzhi vulnerability classification criteria are referred here，thank you!

About SlowMist,

SlowMist Technology Co., Ltd., is founded by a team with over ten years of front-line cybersecurity defensive experience, specializes in ecology security of blockchain industry. With core technological capabilities of security audits, defence deployment and underground threat intelligence tracking, SlowMist delivers security audits and defence deployments for exchanges, wallets and smart contracts around the world. Through tracking the engine with a unique weathervane of underground hackers, SlowMist continues to provide threat intelligence for partner companies and governments.

For more information about imToken

imToken Website: https://token.im/
Twitter: https://twitter.com/imTokenOfficial
Telegram Announcement Channel: https://t.me/imTokenAnnouncement
Telegram Discussion Channel (EN): https://t.me/imTokenEN
Telegram Discussion Channel (CN): https://t.me/imTokenGroup
Email: support@consenlabs.com