漏洞賞金計劃

安全保障是一種協作。報告錯誤並獲得獎勵。

漏洞類型

嚴重

重要業務

高達 $10,000*

一般業務

高達 $5,000*

邊緣忙亂

高達 $2,500*

*我們可能會根據具體情況為嚴重的錯誤報告支付更高的費用。

關鍵的嚴重性問題給客戶或 Deriv 本身帶來了巨大的風險。通常會影響基礎設施中相對較低級別的組件。例如:

  • Arbitrary code/command execution on a server in our production network
  • Arbitrary queries on a production database
  • Bypassing our sign-in process, either password or 2FA
  • Accessing sensitive production user data and internal production systems
  • Payment-related vulnerabilities that could result in loss to our clients and the company

重要業務

高達 $5,000

一般業務

高達 $2,500

邊緣忙亂

高達 $1,000

高嚴重性問題的範圍通常比關鍵問題較小,但可能會將敏感的客戶和公司資料暴露給攻擊者。例如:

  • Cross-server scripting (XSS) that bypasses content security policy (CSP)
  • The ability to bypass verification, log in to clients’ accounts or devices, extract clients’ sensitive data, and perform actions without consent
  • Gaining access to back-end code, internal session cookies, or other sensitive information
  • Exploiting interactive logic issues that can cause loss to clients

中等

重要業務

高達 $500

一般業務

高達 $250

邊緣忙亂

高達 $100

中等嚴重性問題允許攻擊者獲得未經授權的存取權限以讀取或修改有限數量的敏感資料。此資料通常不如高嚴重性問題暴露的資料敏感。例如:

  • The ability to access a limited portion of clients’ sensitive information, our back-end code, or internal information on GitHub
  • XSS that does not bypass CSP and does not execute unauthorised actions in another user’s session
  • Cross-site and server-side request forgery (without access to our internal network)
  • Subdomain takeover

我們將對幫助我們解決嚴重安全問題的低級漏洞報告給予獎勵,且將根據具體情況決定獎勵金額。

低嚴重性問題暴露的資料量非常有限。其可能會違反對某事預期如何工作的預測,但沒有特權升級或觸發意外行為的能力。例如:

  • Triggering debug error pages without proof of exploitability or obtaining sensitive information
  • Cross-site request forgery (non-critical)
  • Vulnerabilities depended on difficult scenarios or pre-conditions
  • Exposed logs without sensitive information