Bug bounty program

AloneWalker · 27 February 2021 15:57

So it has been a while since this topic was first discussed, any updates from the core team? I’m not sure if the team has thought of this, but I think a bug bounty thing will make Incognito even more rigid with the help of outside developers, security experts (besides security audits, of course).

ArcherBullseye · 27 February 2021 19:06

I assume they wouldnt do anything like this till the audit came back and the issues in were fixed.

AloneWalker · 28 February 2021 11:47

As far as I know, the audit is for the smart contract only.

Ducky · 1 March 2021 04:57

We don’t have a Bug Bounty program now, but we will. Let’s join in PRV Holders call to discuss about audit and bounty things.

Tonali · 3 July 2023 18:05

Hi,

I’m sorry to intrude on this thread, but I found a vulnerability. Does Incognito have a bug bounty program? or How to contact the security dev ?

Regards

3prime · 3 July 2023 18:10

@Support FYI

Jared · 3 July 2023 18:35

Hello @Tonali,

Please email [email protected] with the relevant information and we will discuss further via email.

Feel free to CC me as well: [email protected]

Tonali · 4 July 2023 12:45

Hi @Jared

I already sent to the email.
Hope it helps to secure the company.

Thanks

Nan

Jared · 5 July 2023 05:26

Hello @Tonali,

I spoke with the dev team and they confirmed the provided endpoints are only used for staging (development purposes) and are no longer used.

Tonali · 5 July 2023 05:47

Hi @Jared

So, is the endpoint intentionally left as it is? And there is no internal information in it?
I still see some new activities inside it.
eg: Created_at: ISODate(‘2023-07-03T05:01:55.888Z’).

Tonali · 5 July 2023 05:54

But TBH, Leaving a server database like that is indeed extremely rare, especially in a blockchain project. It is highly unlikely and illogical for it to still be in use with a port that is somehow private (not 80/443).

duc · 5 July 2023 23:28

Hey @Tonali, thank you for your report. We really appreciate it.

Let me clarify the purpose of that database here. As you mentioned, this is a blockchain project, and all the main data is generated from the blockchain, which is open to everyone. The database you discovered contains indexed blockchain data for easier querying from the app. It’s a bit different from the data in traditional software.

I completely agree with you that it’s a common practice to have some form of authentication for databases, even in a development environment. I have already instructed the developer to disable open access.

Tonali · 6 July 2023 19:27

good luck.