Decentraland

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks
• Frontrunning, including backrunning and sandwich attacks that may not lead to user funds or assets
• Bugs in dependencies (unless they lead to equivalently direct attacks on Wormhole)
• Any secret data checked into the repository. Such as API/AUTH tokens

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration
• Attacks requiring physical access to the victim device
• Attacks requiring access to the local network of the victim
• Reflected plain text injection ex: url parameters, path, etc.
  • This does not exclude reflected HTML injection with or without javascript
  • This does not exclude persistent plain text injection
• Self-XSS
• Captcha bypass using OCR without impact demonstration
• CSRF with no state modifying security impact (ex: logout CSRF)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
• Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used only to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Feature requests
• Issues/bugs without security vulnerablities described in the program
• Best practices
• Issues without concrete impact and PoC
• Vulnerabilities primarily caused by browser/plugin defects
• Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.
• Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass
• Attacks requiring privileged access from within the organization
• Crashes in play.decentraland.org or scene preview
• Software defects in deployed scenes in play.decentraland.org
• Issues related to scene code itself
• Scenes deployed by users using malicious code that requires users to download or interact with it
• Any vulnerability that requires the user to input commands in the browser console

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty