So it has been a while since this topic was first discussed, any updates from the core team? I’m not sure if the team has thought of this, but I think a bug bounty thing will make Incognito even more rigid with the help of outside developers, security experts (besides security audits, of course).
Bug bounty program
I assume they wouldnt do anything like this till the audit came back and the issues in were fixed.
As far as I know, the audit is for the smart contract only.
We don’t have a Bug Bounty program now, but we will. Let’s join in PRV Holders call to discuss about audit and bounty things.
Hi,
I’m sorry to intrude on this thread, but I found a vulnerability. Does Incognito have a bug bounty program? or How to contact the security dev ?
Regards
Hello @Tonali,
Please email [email protected] with the relevant information and we will discuss further via email.
Feel free to CC me as well: [email protected]
Hello @Tonali,
I spoke with the dev team and they confirmed the provided endpoints are only used for staging (development purposes) and are no longer used.
Hi @Jared
So, is the endpoint intentionally left as it is? And there is no internal information in it?
I still see some new activities inside it.
eg: Created_at: ISODate(‘2023-07-03T05:01:55.888Z’).
But TBH, Leaving a server database like that is indeed extremely rare, especially in a blockchain project. It is highly unlikely and illogical for it to still be in use with a port that is somehow private (not 80/443).
Hey @Tonali, thank you for your report. We really appreciate it.
Let me clarify the purpose of that database here. As you mentioned, this is a blockchain project, and all the main data is generated from the blockchain, which is open to everyone. The database you discovered contains indexed blockchain data for easier querying from the app. It’s a bit different from the data in traditional software.
I completely agree with you that it’s a common practice to have some form of authentication for databases, even in a development environment. I have already instructed the developer to disable open access.
good luck.