# YUBIT Bug Bounty Program We are excited to announce the launch of the **YUBIT Bug Bounty Program** and warmly encourage security researchers and community members to participate by reporting vulnerabilities. 📩 Please submit bug reports to: ****\ Our security team will review and validate submissions promptly and will contact you after confirmation.\ Your contributions to security are highly valued! *** ### 1. Web Bug Bounty **Scope of Testing:** * [www.yubit.com](https://www.yubit.com) **Reward Range:** * Low Risk: **$50 – $100** * Medium Risk: **$100 – $500** * High Risk: **$500 – $1,000** * Critical: **$1,000 – $5,000** *** ### 2. Web Vulnerability Severity Definitions #### (1) Critical Vulnerabilities Affect core business systems (control systems, domain controllers, distribution systems, bastion hosts, etc.) and may cause severe damage.\ **Possible outcomes:** * Unauthorized control of business systems * Access to core system admin rights * Full control over core infrastructure\ **Examples:** * Control of multiple devices in the internal network * Access to backend super admin privileges, leading to major data leaks * Smart contract overflow or race condition exploits #### (2) High-Risk Vulnerabilities * Privilege escalation (GetShell, command execution) * SQL injection * Authentication bypass, weak passwords, SSRF, sensitive data exposure * Arbitrary file read / XXE * Unauthorized transactions or payment logic bypass * Severe logic flaws (e.g., login as any user, bulk password resets) * Stored XSS (wide impact) * Large-scale source code leak * Smart contract privilege misconfigurations #### (3) Medium-Risk Vulnerabilities * User-interaction required issues (e.g., stored XSS, CSRF) * Horizontal/parallel authorization bypass * Denial of Service (DoS) * CAPTCHA flaws leading to brute force attacks * Local sensitive key leakage #### (4) Low-Risk Vulnerabilities * Local DoS (client crash) * Minor information disclosure (path traversal, directory listing) * Reflected/DOM XSS * Basic CSRF * URL redirection issues * SMS/email spamming (limited per system) * Other low-impact or unproven issues *** ### 3. Vulnerabilities Not Accepted * Email spoofing * User enumeration * Self-XSS / HTML injection * Missing CSP / SRI * Non-sensitive CSRF * Android configuration issues (e.g., `android:allowBackup="true"`) * Performance-only issues (e.g., slow image rendering) * Third-party component version disclosure (e.g., Nginx version) * Non-security functional bugs * Social engineering against YUBIT employees *** ### 4. Smart Contract Vulnerability Definitions #### (1) Critical * Manipulation of governance voting * Direct theft of user funds (excluding unclaimed rewards) * Permanent freezing of funds * Miner Extractable Value (MEV) exploitation * Insolvency of the protocol #### (2) High Risk * Theft or freezing of unclaimed rewards/royalties * Temporary freezing of funds #### (3) Medium Risk * Contract halts due to token exhaustion * Exploiting network congestion for profit * Gas theft or forced excessive gas usage * Disruptive, non-profitable sabotage #### (4) Low Risk * No direct fund loss but damages trust/commitments * Informational risks (oracle errors, governance attacks, liquidity risks, Sybil attacks, etc.) * Best-practice recommendations *** ### 5. Prohibited Activities * Social engineering or phishing attacks * Public disclosure or distribution of vulnerability details * Destructive testing (only Proof of Concept is allowed) * Unauthorized large-scale scanning * Webpage modification, popup flooding, cookie theft, or intrusive payloads * Any unreported damage during testing ⚠️ Failure to follow rules may result in **legal consequences**. *** ### 6. Closing Note Thank you for contributing to the security of the YUBIT platform.\ Together, we can build a **safer and more transparent crypto ecosystem**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yubit.gitbook.io/yubit/other-help/yubit-bug-bounty-program.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.