developer-resource

繁體中文简体中文

Security Bounty Program

With a bounty program, we invite the software security community to research and discover security related bugs and vulnerabilities on Matters platform.

If you would like to report a vulnerability or have a question for us, please email us at security@matters.news.

Issues That Qualify

The following domains and assets are within the scope of the program:

To be eligible, you must demonstrate a security compromise on any of these domains and assets using a reproducible exploit, for example:

Issues That Do Not Qualify

Below are some issues we have determined as not posing a great risk, or requiring systematic redesign of how our product works. They are not counted as valid vulnerabilities, but we still love to hear from you if you have any suggestions and comments.

  1. Self-XSS.
  2. CSRF/CORS configuration issue without a realistic scenario that can be exploited.
  3. Registering multiple accounts for a single user.
  4. Automation of certain actions such as like, commend or read article.
  5. Vulnerabilities in third party tools that utilizes Matters API.
  6. Internal mechanism and logic of third party projects such as LikeCoin or IPFS

We hope you:

And we will:

Rewards

We will decide, at our sole discretion, the level of reward based on severity of the bug and completeness of the submission. The reward can be paid in LikeCoin (preferred) or US dollars.

Critical: $500 (50000 LIKE)

Critical severity issues present a direct and immediate risk to a broad array of our users or to Matters itself. For example:

High: $150 (15000 LIKE)

High severity issues allow an attacker to read or modify sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

Medium: $100 (10000 LIKE)

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information or more limited scope than high severity issues. For example:

Low: Recognition on GitHub and Matters

Valid security vulnerabilities that don’t fall into the categories above or apply to auxiliary services and 3rd party dependencies. For example:

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States restricted export control list, or are on a United States state federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program may be modified or canceled at any time, and any changes we make to these programs terms do not apply retroactively. Thanks for helping us make Matters more secure!