Threshold Network

The following impacts and attack vectors are excluded from rewards by default for all Immunefi bug bounty programs:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
• Vulnerabilities requiring unlikely user actions

Smart Contracts and Blockchain/DLT

• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks
• Attacks that interact with either KEEP or NU legacy contracts

Websites and Apps

• Theoretical impacts without any proof or demonstration
• Content spoofing / Text injection issues
• Any impacts involving self-XSS
• Captcha bypass using OCR without impact demonstration
• Reflected plain text injection ex: url parameters, path, etc.
  • This does not exclude reflected HTML injection without javascript
  • This does not exclude persistent plain text injection
• CSRF with no state modifying security impact (ex: logout CSRF)
• CSRF with no security impact (logout CSRF, change language, etc)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Clickjacking / UI redressing with minimal impact
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
• Broken link hijacking is out of scope
• Lack of SSL/TLS best practices
• Attacks involving DOS and/or DDoS
• UX and UI impacts that do not materially disrupt use of the platform
• Attacks that require physical contact to the victims computer and/or wallet
• Attacks requiring privileged access from within the organization
• Attacks requiring access to the local network of the victim
• Subdomain takeover without already-connected wallet interaction
• Issues related to the frontend without concrete impact and PoC
• SPF records for email domains
• SPF/DMARC misconfigured records
• Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.
• Improperly disclosing confidential user information such as email address, phone number, physical address, etc.
• Outdated software CVE reporting (eg JQuery)
• Taking over broken or expired outgoing links such as social media handles, etc.
• Automated scanner reports without demonstrated impact
• Non-future-proof NFT rendering
• UI/UX best practice recommendations
• Feature requests
• Best practices

Prohibited Activities

The following activities are prohibited by this bug bounty program. Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team, which may also result in: 1) the forfeiture and loss of access to all bug submissions, and 2) zero payout.

Please note that Immunefi has no tolerance for spam/low-quality/incomplete bug reports, “beg bounty” behavior, and misrepresentation of assets and severity. Immunefi exists to protect the global crypto community, not facilitate grift.

Prohibited:

• Any testing with mainnet or public testnet deployed code; all testing should be done on private testnets
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Any other actions prohibited by the Immunefi Rules. These rules are subject to change at any time.