漏洞赏金计划

安全保障是一种协作。报告错误并获得奖励。

漏洞类型

严重

重要业务

高达 $10,000*

一般业务

高达 $5,000*

边缘忙乱

高达 $2,500*

*可能会根据具体情况为严重的错误报告支付更高的费用。

关键的严重性问题给客户或 Deriv 本身带来了巨大的风险。它们通常会影响基础设施中相对较低级别的组件。例如:

  • Arbitrary code/command execution on a server in our production network
  • Arbitrary queries on a production database
  • Bypassing our sign-in process, either password or 2FA
  • Accessing sensitive production user data and internal production systems
  • Payment-related vulnerabilities that could result in loss to our clients and the company

重要业务

高达 $5,000

一般业务

高达 $2,500

边缘忙乱

高达 $1,000

高严重性问题的范围通常比关键问题较小,但可能会将敏感的客户和公司数据暴露给攻击者。例如:

  • Cross-server scripting (XSS) that bypasses content security policy (CSP)
  • The ability to bypass verification, log in to clients’ accounts or devices, extract clients’ sensitive data, and perform actions without consent
  • Gaining access to back-end code, internal session cookies, or other sensitive information
  • Exploiting interactive logic issues that can cause loss to clients

中等

重要业务

高达 $500

一般业务

高达 $250

边缘忙乱

高达 $100

中等严重性问题允许攻击者获得未经授权的访问权限以读取或修改有限数量的敏感数据。此数据通常不如高严重性问题暴露的数据敏感。例如:

  • The ability to access a limited portion of clients’ sensitive information, our back-end code, or internal information on GitHub
  • XSS that does not bypass CSP and does not execute unauthorised actions in another user’s session
  • Cross-site and server-side request forgery (without access to our internal network)
  • Subdomain takeover

对帮助解决严重安全问题的低级漏洞报告给予奖励,且将根据具体情况决定奖励金额。

低严重性问题暴露的数据量非常有限。其可能会违反对某事预期如何工作的预测,但没有特权升级或触发意外行为的能力。 例如:

  • Triggering debug error pages without proof of exploitability or obtaining sensitive information
  • Cross-site request forgery (non-critical)
  • Vulnerabilities depended on difficult scenarios or pre-conditions
  • Exposed logs without sensitive information