Blockchain.com Web & Mobile: Program Info

IN SCOPE VULNERABILITIES (WEB, MOBILE)

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerabilities with a clear potential loss

OUT OF SCOPE

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
• Registering multiple wallet accounts with the same email address is an intended feature.
• Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
• Clickjacking on pages with no sensitive actions.
• Password, email, and account policies, such as email address verification, password complexity.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing flags like HttpOnly or Secure on cookies
• Missing best practices in Content Security Policy or best practice security headers
• Presence of autocomplete attribute on web forms
• Tabnabbing or Reverse tabnabbing
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• Open redirect - unless an additional security impact can be demonstrated
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Phishing websites and malware lookalike applications (please report to Support staff instead)
• Physical security of our offices, employees, etc.
• Non-security-impacting UX issues

Third party providers and services

Web applications operated by third parties are only considered in scope under the following ways:

• Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
• Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.

The following assets represent third-party applications, along with their vendors to report issues to:

• email-clicks.blockchain.com (SendGrid)
• support.blockchain.com (ZenDesk)
• blog.blockchain.com (Medium)
• docs.blockchain.com (GitBook)