<Bug Bounty>

Our highest priority is the security and efficiency of all FortKnoxster solutions. That’s why we are offering an opportunity to community members, bounty hunters, any skilled individual or groups to submit your inputs for scaling the security of our platform.

But of course, we want to show our appreciation towards our bug hunter. So, we offer rewards to participants who succeed in this program.

Policy

FortKnoxster is built on blockchain technology and offers advanced end-to-end encrypted chat messenger, wallet, storage, videocalls, all within one web and mobile platform.

As security and privacy is our bread and butter, we at FortKnoxster look forward to working with the security community to find security vulnerabilities in order to keep our customers and our business safe.

Program Rules

  • Please provide detailed reports with reproducible steps demonstrating a plausible remote exploitation scenario. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • As project maintainers, we at Fortknoxster hold the final decision on which issues constitute security vulnerabilities. We hope for your understanding and respect for this.
  • Any images, screenshots, files and videos produced for illustrating a vulnerability PoC, must be submitted in the report and not be posted on any public channels, eg. Youtube video etc.

Disclosure Policy

  • Although this is a public program, please do not discuss or disclose any vulnerability (even resolved ones) outside of this program without express consent from FortKnoxster.
  • Any finding should be made available to FortKnoxster immediately and will remain non-public until the FortKnoxster Team has sufficient time to publish an update to solve the issue.

Getting Started

To begin testing the FortKnoxster platform, please go to web.fortknoxster.com or use any of our apps:

Please note you will need a valid phone number to sign up. Any other scenario where you need more than one user, you will need to sign up using a different, unique phone number.

Our supported desktop browsers are Chrome, Firefox, Opera and Chromium-based browsers.

Features and Updates

Please note that any upgrades or added features are announced in both our Medium blog and our Telegram chat. See below the links.

You can also refer to the following:

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider the attack scenario / exploitability and security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF or forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Password and account recovery policies, such as reset link expiration or password complexity.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration (we require evidence of actual SSL/TLS vulnerability).
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Vulnerabilities only affecting unsupported browsers.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • SMS/SS7 attacks.
  • DDOS attacks.
  • Username or phone enumeration
  • Self-produced XSS attacks.
  • Invalid or missing SPF/DKIM/DMARC records.
  • Issues related to software or protocols not under FortKnoxster’s control.

Areas of Interest

These are some of the vulnerabilities and bugs that we have special interest:

  • Logic errors.
  • Congestion and scalability.
  • Cryptography issues.
  • Missing access controls / unprotected or debugging interfaces.

Service Level Agreement (SLA)

FortKnoxster will make the best effort to meet the following SLA’s for participants in our program:

  • Time to first response (from report submit) – 2 business days.
  • Time to triage (from report submit) – 2 business days.
  • Time to bounty (from triage) – 5 business days.

Rewards.

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Initially the reward shall be divided by threat level as specified below:

  • Critical Threat level (CVSS 9.0–10.0)
  • Major Threat level (CVSS 7.0–8.9)
  • Medium Threat level (CVSS 4.0–6.9)
  • Low Threat level (CVSS 1.0–3.9)

Please note these are general guidelines, and that reward decision are up to the discretion of FortKnoxster.

Reporting a Vulnerability

Any vulnerability or bug discovered should be reported only to the FortKnoxster team at Bug Bounty . As specified in our Disclosure Policy participants should not discuss or disclose any vulnerability (even resolved ones) outside of this program without express consent from FortKnoxster. Please ensure that you disclose vulnerabilities to the team as soon as you find them.

In order to help us understand the full context of the vulnerability, we require participants to include as much information as possible in your report. Overall, the more detailed your report is, the easier it will be for the team to triage and replicate the vulnerability.

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Good Luck to All Participants

Finally, we would like to wish all participants and especially our community members, the best of luck with this program. We are glad to have you on board, assisting and supporting the security of FortKnoxster and all its users.

</Bug Bounty>