Atomic Wallet $1,000,000 Bug Bounty Program

On Monday 18th December, 14:00 GMT, Atomic Wallet, a leading innovator in the decentralized wallet space, launched a Bug Bounty Program with a staggering USD 1,000,000 prize pool. 

The initiative invites security experts and passionate hobbyists worldwide to join forces in identifying and rectifying any potential security vulnerabilities or bugs in the Atomic Wallet App, ensuring an even more secure experience for millions of users globally.

"Recent events in the blockchain industry have once again reminded us that cybersecurity is a dynamic field, and the best way to stay ahead is by harnessing the creativity and expertise of the global community," noted Konstantin Gladych, Founder of Atomic Wallet. "We are confident and eager to see how this program will contribute to our mission of providing a secure and seamless user experience."

Atomic Wallet is taking an extraordinary step by adding an additional security layer and crowdsourcing security measures through its Bug Bounty Program.

The Details of the Bounty

Participation in the Bug Bounty Program is open to anyone with the skills and determination to help Atomic Wallet strengthen its security infrastructure. Whether you're an experienced cybersecurity professional or a passionate hobbyist, your contributions are welcome.

• Bounty Rewards:
• $100,000 for discovering a vulnerability with the ability to attack/drain a wallet without physical access, installed malware, or social engineering, indicating an actual over-the-internet attack and a flaw in our code or dependencies
• Up to $10,000 for critical-risk vulnerabilities
• Up to $5,000 for high-risk vulnerabilities
• Up to $1,500 for medium-risk vulnerabilities
• Up to $500 for low-risk vulnerabilities

The cumulative prize pool of $1,000,000 is a testament to Atomic Wallet's commitment to the highest levels of data security and enhancing app functionality.

Scope:

1. Android: https://play.google.com/store/apps/details?id=io.atomicwallet&hl=en&gl=US
2. iOS: App Store: https://apps.apple.com/us/app/atomic-wallet/id1478257827
3. Android APK (find the link to the latest release inside the .txt file): https://releases.atomicwallet.io/download/latest-android.txt
4. Desktop (see the link to the latest release inside the .txt file):
5. Windows: https://releases.atomicwallet.io/download/latest-win.txt
6. Mac: https://releases.atomicwallet.io/download/latest-mac.txt
7. Ubuntu: https://releases.atomicwallet.io/download/latest-ubuntu.txt
8. Debian: https://releases.atomicwallet.io/download/latest-debian.txt
9. Fedora: https://releases.atomicwallet.io/download/latest-fedora.txt
10. Web:
11. https://releases.atomicwallet.io*
12. https://services.atomicwallet.io*

How to Participate

Please familiarise yourself with the Bug Bounty Policy and Program Rules, Eligibility criteria, and Submission guidelines. We aim to make the process as transparent and straightforward as possible, ensuring seamless collaboration between our security team and the global community.

Please read the out-of-scope section before beginning the testing.

Do NOT test the Atomic Wallet contact form or create multiple support tickets via different Atomic Wallet support channels.

Bug Bounty Policy and Program Rules:

Response Targets

Atomic Wallet will make its best effort to meet the following SLAs for our program participants:

Type of Response SLA in business days

First Response < 1 day

Time to Bounty < 7 business days (We respect your time and don't hesitate to reward)

Time to Resolution depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this Program or any vulnerabilities (even resolved ones) outside of the Program without prior written consent from Atomic Wallet.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not precise enough to reproduce the issue, the issue will not be eligible for a reward.

Report Submission Best Practises

When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug/vulnerability. The Google Bug Hunters University guide may help consider whether an issue has a security impact.

Submit one vulnerability per report.

WARNING: If the same exploit occurs across multiple endpoints, please include those endpoints under your single submission. Do NOT file multiple reports for the same exploit.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

When duplicates occur, we only award the first report received (provided it can be fully reproduced).

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service (including denial of service). Only interact with accounts you own or with the explicit permission of the account holder.

All submissions should be addressed to [email protected] with the subject: "Bounty: <description>" so we can handle it accordingly.

Rewards

• The minimum reward for a valid vulnerability report is $50
• The maximum reward for a valid vulnerability report is $100,000
• Reward decisions are up to the discretion of Atomic Wallet.

In Scope Vulnerabilities

Technical vulnerabilities or security-related problems in any of our company's internet public surface (websites and subdomains underneath Atomic Wallet's control)

Technical vulnerabilities or security-related problems in our company's Desktop and Mobile Wallet applications.

External Dependencies

Atomic Wallet makes use of several open (and closed) source libraries. If you discover a vulnerability in an open-source dependent library or OS component, we advise you to follow responsible disclosure procedures directly with the library or OS vendor. We will not pay bounties on undisclosed vulnerabilities found in dependent components. However, if you can demonstrate a severe vulnerability of any of our software/servers due to that library with a working Proof of Concept, we will, on a case-by-case basis, consider this in scope and grant rewards.

Out of scope APP Vulnerabilities

If you find a vulnerability that is not part of the in-scope vulnerabilities, please report it, and we will investigate it. Depending on the severity of the vulnerability, you will be listed in our Hall of Fame and may be eligible for a reward. Any rewards for out-of-scope vulnerabilities will be granted on a case-by-case basis.

The following issues are currently considered out-of-scope:

1. Weaknesses that would require Email Phishing or Social Engineering
2. Attacks requiring MITM or physical access to a user's device
3. Previously known vulnerable libraries without a working Proof of Concept
4. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
5. Sites/Software that is run entirely by another company that is simply subdomain-ed or linked to from our company. Eg, Constant Contact, Zendesk, etc
6. Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
7. Vulnerabilities only affecting users of outdated or unpatched browsers or wallets [Less than 3 stable versions behind the latest released stable version]
8. Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis
9. Package include/dependency vulnerabilities without demonstrating a vulnerability.
10. Issues that require unlikely user interaction
11. (KNOWN ISSUE) Disclosure of methods/endpoints/api keys involving 3rd party blockchain APIs (ex. bitcoin, tezos, waves etc) including known embedded API key, and known outdated swaggerhub / openapi issue. (also mentioned in specific scopes for increased awareness).

The following issues are currently considered do not attempt without permission:

1. Extended testing/attacks of Atomic Wallet servers or infrastructure
2. Rate limiting or brute-force attacks on Atomic Wallet backend infrastructure
3. Any activity that could lead to the disruption of our service (DoS).

Out of scope WEB Vulnerabilities

• Reports from automated tools or scans
• False positive SQL Injection
• To avoid submitting a false positive, please ensure that you can provide a working PoC that demonstrates the ability to retrieve the current database / current user name
• Spam vulnerability, mail spoofing, mail bomb, etc.
• Self-XSS
• Use of known-vulnerable library or component
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Tabnabbing
• Issues that require unlikely user interaction
• Vulnerabilities that are already known (e.g. discovered by an internal team)
• Best practice reports are not eligible for bounties but are appreciated.
• CMS-related vulnerability

To request permission, please email [email protected], add to the title “Bug Bounty”, and mention the details of your test, including what endpoint(s) you will be hitting, what type of scan/attack/etc you would like to try, and what you're trying to achieve. We will respond to your request within 2 working days, ideally less. We will approve the request as long as it is reasonably well thought out and we don't see a risk.

Safe Harbor

Any activities consistent with this policy will be considered authorized conduct, and we will not report them to any law enforcement agencies or initiate legal action against you. Suppose legal action is undertaken by a third party against you in connection with activities conducted under this policy. In that case, Atomic Wallet will take steps to make it known that your actions were conducted in compliance with this policy.

DISCLAIMER: You agree that Atomic Wallet has the right to modify Bug Bounty Program rules and make decisions regarding bug payments at its sole discretion at any time.

Atomic Wallet may change the rules of the Bug Bounty Program and may decide on bug payment amounts at its sole discretion at any time. We value the efforts of every participant; however, we reserve the right to adjust the program and determine appropriate rewards in each case. We will promptly communicate any changes to the Bug Bounty Program.

By participating in the Bug Bounty Program, you acknowledge and agree to these terms. If you have any questions, don't hesitate to contact our support team.