Moonbeam Network

The following vulnerabilities are explicitly excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Attacks relying in whole or in part on social engineering, deception or phishing attacks
• Vulnerabilities in third-party dependencies not under Moonbeam Foundation's control, especially when no known fix exists at the time of the report. Such vulnerabilities should be reported to the respective third-party organizations responsible for the code. If we cannot fix the vulnerability, we will not pay a bounty.
• Bugs or vulnerabilities in external services or platforms that Moonbeam Network uses but does not control.
• Broken link hijacking is out of scope
• Non-Production Code: Any code present in the in-scope repositories that has not yet been deployed to the production Moonbeam or Moonriver networks is out of scope.
• Theoretical Vulnerabilities: Vulnerabilities that are purely theoretical without practical exploitability. This includes exploits requiring unrealistic scenarios, assumptions, or clear human error.
• Excessive Investment Attacks: Attacks that require an impractically high investment beyond reasonable means (e.g., requiring more than $100 million USD to execute).
• User Negligence: Issues that arise solely from user misconfiguration or negligence, where exploitation is possible only if users ignore standard security practices.
• Low-Impact DoS Attacks: Denial-of-Service (DoS) attacks that are temporary and do not result in significant disruption or measurable financial loss.
• Best Practice Suggestions: Code optimizations, style guidelines, or recommendations that do not have a direct security impact.
• Cosmetic Issues: Aesthetic issues, including typos, branding inconsistencies, or minor UI glitches that do not lead to security vulnerabilities or exploitation.

Smart Contracts and Blockchain

• All smart contracts deployed on Moonbeam or Moonriver
• Third-Party Oracle Data: Issues arising from incorrect data supplied by third-party oracles
• Basic economic governance attacks (e.g. 51% attack)
• Attacks relying on developers committing errors due to how Moonbeam’s EVM implementation differs from the standard EVM implementation
• Liquidity Issues: Vulnerabilities or attacks that exploit a lack of liquidity.
• Best Practice Critiques: Suggestions for improvements that do not address specific security vulnerabilities.
• Sybil Attacks: Attacks involving the creation of multiple fake identities to gain disproportionate influence.
• Centralization Risks: Risks associated with centralization that do not involve a specific vulnerability.
• Any bugs or exploits in third party wallets

Websites and Apps

• Theoretical Vulnerabilities: Issues without a working proof of concept or demonstration of impact.
• Content Spoofing/Text Injection: Content spoofing or text injection issues that do not lead to further exploitation.
• Self-XSS: Cross-Site Scripting attacks that require the victim to self-execute malicious code.
• Captcha Bypass via OCR: Automated Captcha solving using Optical Character Recognition without direct security impact.
• Non-Impactful CSRF: Cross-Site Request Forgery vulnerabilities that do not lead to significant security impact (e.g., logout CSRF, changing user preferences).
• Missing Security Headers: Absence of HTTP security headers or cookie flags that do not lead to an exploitable vulnerability.
• Server Information Disclosure: Disclosure of server information like IPs, server names, or stack traces that do not reveal sensitive data.
• User Enumeration: Ability to enumerate or confirm the existence of users or tenants without further impact.
• Unlikely User Actions: Vulnerabilities that require unrealistic or unlikely actions by the user.
• Open Redirects: URL redirects unless they can be combined with another vulnerability to escalate the impact.
• SSL/TLS Best Practices: Recommendations for SSL/TLS improvements without a direct security impact.
• Low-Impact DDoS: Denial-of-Service vulnerabilities that do not cause significant disruption or financial loss.
• Internal Privileged Access: Attacks requiring privileged access from within the organization.
• Email SPF Records: Issues related to SPF, DKIM, or DMARC records for email domains without direct security impact.
• Feature Requests: Suggestions for new features or enhancements.
• Best Practice Suggestions: Recommendations for best practices without identifying specific vulnerabilities.