Even though our specialists do their best to lessen all the bugs in our systems, Pylon Eco Token (PETN) invites independent security groups and individual researchers to study it across all platforms and help us make it even safer for our customers. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us, so that we can address it as soon as possible. For Security related bugs/vulnerabilities, we offer rewards and recognitions.
So, if you think that you have found a security vulnerability on this site, we strongly encourage you to send us a report regarding this matter.
Vulnerability description and reporting:
Generally speaking, any bug that poses a significant vulnerability could be eligible for the reward. But it's entirely at our discretion to decide whether a bug is significant enough to be eligible for the reward.
Security issues that typically would be eligible (though not necessarily in all cases) include:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injections
- Server-Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Payment manipulation
- Administration portals without authentication mechanism
Things that are not eligible for reward include:
- Lack of rate-limiting mechanisms
- Captcha related concerns
- Open redirects without a severe impact
- Application stack traces (path disclosures, etc.)
- Self-type Cross-Site Scripting / Self-XSS
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Denial of Service attacks
- CSRF issues on actions with minimal impact
- Cache Poisoning
- Missing SPF records
- Brute force attacks
- Security practices (banner revealing a software version, missing security headers, etc.)
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Vulnerabilities are contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.
- Bugs that have not been responsibly investigated and reported.
- Bugs in products or websites related to acquisition for a period of 180 days following any public announcement.
- Bugs are already known to us, or already reported by someone else (reward goes to the first reporter).
- Issues that aren't reproducible.
- Issues that we can't reasonably be expected to do anything about.
- Before participating in our bug bounty program, please see below our rules and procedures:
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
If any organization or individual decides to participate in our bug bounty program, they have to agree on the following:
- A bug report should contain enough information and a proof of concept code or screenshot.
- You agree to participate in testing the effectiveness of the countermeasure applied to your report.
- You agree to keep any communication with Pylon Eco Token (PETN) in private.
How to report a bug
- Please send an email to [email protected] (in the subject line indicate “Bug reporting”).
- Include as much information in your report as you can. Ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component (i.e. API endpoint, etc.)
- If you need to share screenshots/videos, please upload them to your own Google Drive or any other upload service and share with us the links to those files in the form.
- Include your correct name and email address so we can reach out to you.
- Allow us up to 7 business days to respond before sending another email on the matter.
- All the Rewards will be paid in PETN Tokens, So please send PETN wallet address too.
Wall of Fame
- We will respond to qualified security researchers only.
- Rewarding a security researcher is the sole decision of the security department of Pylon Eco Token (PETN), so it's not your right to get rewarded in every issue submission.
- Same bug may be reported by multiple security researchers, we will reward only one person who is the first to report by explaining the issue in a simpler and better way.
- We have a Wall of Fame for all security researchers (including rewarded and non rewarded who spend their valuable time to find and report the bug in our website).
- To list your information in the Wall of Fame, please send your Display Name and any Social Media Profile or Email to link on it.