Focused on business applications, Bitswift comes with a community and support network of tech pros that have been working with blockchain since its inception. However, Bitswift is more than just a blockchain and token. Bitswift is composed of community, companies, and customers from all sectors including real estate, healthcare, governance, supply chain management, retail, and much more.
Bitswift.cash allows people to conveniently participate in the token economy, providing an accessible interface interconnecting blockchains, leaving the user in control of their own personal digital information.
The bug bounty program is focused around bugs that relate to the ability to exploit the deposit, withdrawal, and claim processes on https://bitswift.cash. Bitswift seeks to ensure its claim, deposit, and withdrawal systems are functioning as intended and cannot be exploited to any user's advantage.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Critical-level payouts are only applicable when the vulnerability results in users being able to withdraw more than they are supposed to be able to or when their accounts are credited more than the actual deposit or when the user is able to claim more crypto than the stipulated time period allows. Otherwise, they may be classified as High.
Additionally, all web and app bug reports without proof of concept exploits with demonstrated impact, as well as recommendations for new features, are not accepted.
There is currently a total bounty pool of CAD $5,710. Because of this, if there are valid bug reports covering different vulnerabilities submitted where the total reward amount is greater than the remaining bounty pool amount, the appropriate reward levels will be provided on a first-come-first-served basis, and the total bounty pool will be used to reward reports on this priority system until exhausted. This amount will be updated as rewards are paid out and rewards will adjust accordingly.
Payouts are handled by Bitswift directly. The USD amount published is just an estimate. In the event of a discrepancy between the CAD and USD exchange rates with the estimate provided on this page, the prevailing CAD rate will apply. However, payouts are done in BTC, ETH, CASH or BITS. Before any payout, the bug must first be verified and validated by Bitswift.
Websites and Applications
- up to CAD $5,710 (~USD $4,515)
Assets in scope
- TargetWebsites and ApplicationsType
We are especially interested in receiving and rewarding vulnerabilities of the following types:
- Remote Code Execution
- Trusting trust/dependency vulnerabilities
- Vertical Privilege Escalation
- XML External Entities Injection
- SQL Injection
- Horizontal Privilege Escalation
- Stored XSS
- Reflective XSS with impact
- CSRF with impact
- Direct object reference
- Internal SSRF
- Session fixation
- Insecure Deserialization
- Direct object reference
- Path Traversal
- DOM XSS
- SSL misconfigurations
- SSL/TLS issues (weak crypto, improper setup)
- URL redirect
- Misleading Unicode text (e.g. using right to left override characters)
- Coercing the application to display/return specific text to other users
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Theoretical vulnerabilities without any proof or demonstration
- Content spoofing / Text injection issues
- Captcha bypass using OCR
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring unlikely user actions
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Attacks requiring privileged access from within the organization
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Multi accounts
Instructions for replication of the bug must be provided in order for consideration.