Immunefi
Immunefi

Bitswift Cash

Submit a Bug
04 February 2021
Live since
No
KYC required
$4,515
Maximum bounty
13 October 2022
Last updated

Program Overview

Focused on business applications, Bitswift comes with a community and support network of tech pros that have been working with blockchain since its inception. However, Bitswift is more than just a blockchain and token. Bitswift is composed of community, companies, and customers from all sectors including real estate, healthcare, governance, supply chain management, retail, and much more.

Bitswift.cash allows people to conveniently participate in the token economy, providing an accessible interface interconnecting blockchains, leaving the user in control of their own personal digital information.

The bug bounty program is focused around bugs that relate to the ability to exploit the deposit, withdrawal, and claim processes on https://bitswift.cash. Bitswift seeks to ensure its claim, deposit, and withdrawal systems are functioning as intended and cannot be exploited to any user's advantage.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Critical-level payouts are only applicable when the vulnerability results in users being able to withdraw more than they are supposed to be able to or when their accounts are credited more than the actual deposit or when the user is able to claim more crypto than the stipulated time period allows. Otherwise, they may be classified as High.

Additionally, all web and app bug reports without proof of concept exploits with demonstrated impact, as well as recommendations for new features, are not accepted.

There is currently a total bounty pool of CAD $5,710. Because of this, if there are valid bug reports covering different vulnerabilities submitted where the total reward amount is greater than the remaining bounty pool amount, the appropriate reward levels will be provided on a first-come-first-served basis, and the total bounty pool will be used to reward reports on this priority system until exhausted. This amount will be updated as rewards are paid out and rewards will adjust accordingly.

Payouts are handled by Bitswift directly. The USD amount published is just an estimate. In the event of a discrepancy between the CAD and USD exchange rates with the estimate provided on this page, the prevailing CAD rate will apply. However, payouts are done in BTC, ETH, CASH or BITS. Before any payout, the bug must first be verified and validated by Bitswift.

Websites and Applications

Critical
Level
up to CAD $5,710 (~USD $4,515)
Payout
PoC Required

Assets in scope

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Websites and Applications

  • Users being able to withdraw more than they are supposed to be able to
    Critical
    Impact
  • Users accounts are credited more than the actual deposit
    Critical
    Impact
  • Users are able to claim more crypto than the stipulated time period allows
    Critical
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • Captcha bypass using OCR
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring unlikely user actions
  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Attacks requiring privileged access from within the organization

The following activities are prohibited by bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Multi accounts

Other Notes

Instructions for replication of the bug must be provided in order for consideration.