Bug Bounty Program for DePix RESTful HTTP API#
Welcome to the DePix RESTful HTTP API Bug Bounty Program. We value the contributions of security researchers in keeping our platform secure and appreciate your efforts in helping us identify vulnerabilities. Please read the following rules and guidelines carefully before submitting your findings.Rules for Participation#
1. Safe Harbor#
We operate under a safe harbor policy. Actions performed in accordance with this program are considered authorized, and we will not take legal action against researchers acting in good faith.
2. Responsible Disclosure#
A detailed description of the vulnerability.
Step-by-step instructions to reproduce the issue.
(Optional) Any scripts or tools used to identify the bug.
Do not publicly disclose the vulnerability or share it with third parties until we have resolved the issue and provided explicit permission.
3. Scope#
In-scope endpoints include all APIs under the URL base: https://depix.eulen.app/api/*.
Out-of-scope issues include:Non-production environments.
Social engineering of DePix staff or customers.
4. Testing Guidelines#
Perform tests only on your own accounts or resources explicitly created for testing.
Do not compromise user data, accounts, or the production environment.
For specific penetration testing activities, please notify our team in advance by emailing security@depix.info. Functions that are marked as "Testing..." or "Developing..." are out of scope.
Reward Guidelines#
The reward amount depends on the severity and impact of the reported vulnerability. We use the CVSS (Common Vulnerability Scoring System) as a reference for categorizing severity.| Severity Level | Description | Reward Amount |
|---|
| Critical | Funds compromise, permanent data corruption or serious data breach. | Up to $1,000 |
| High | Exploits that enable privilege escalation, access to sensitive user data, or bypass of authentication. | Up to $300 |
| Medium | Issues such as improper authorization checks or significant misconfigurations. | Up to $80 |
| Low | Minor issues with limited security impact. | Up to $30 |
Evaluation Process#
1.
Initial Response: We will acknowledge receipt of your report within 7 business days.
2.
Investigation Period: Our team will evaluate the issue and provide a resolution timeline within 20 business days.
3.
Bug Fix and Reward: If your report is validated, the reward will be paid within 20 business days of the fix being deployed.
Exclusions#
The following are not eligible for rewards:Issues caused by outdated browsers or platforms.
Vulnerabilities already reported or known.
Attacks requiring physical access to devices.
Theoretical vulnerabilities without proof of concept or practical impact.
Denial of Service (DoS) attacks, including those affecting availability.
Social engineering attacks against employees, contractors, or third parties.
Vulnerabilities related to third-party software or services outside of our control.
Misconfigurations or issues in non-production environments.
Spam, phishing, or other forms of abuse not directly tied to security vulnerabilities.
Reports based on automated tools or scanners without clear evidence of impact.
