[BUG BOUNTY] ARAX— Your Universal Crypto Wallet

ARAX BUG BOUNTY IS LIVE NOW.

Win up to $5,000 for critical exploits

We leave no stone unturned in maintaining and ameliorate our Arax Crypto Wallet to provide our users with an efficient, multiple-Blockchain supporting Wallet that is easy and safe to use. However, nothing is perfect and there is always room for improvisation. We would appreciate and reward your help in making us aware of our weaknesses and security vulnerabilities to help us work on them and bring to you an unrivaled product.

DOWNLOAD ARAX APP NOW

Policy

We request the security research community to provide us with a reasonable time span to fix a vulnerability before bringing it into daylight. Our appeal to you is to submit a detailed description of the bug that you encountered along with the possible measures that we can take reproduce your observation.

While doing this, we request you to be conscious of our user’s privacy, data confidentiality, and integrity. We highly prioritize the privacy of our community and would greatly value your assistance in preserving it. Please be mindful of the fact that we cannot work in coordination with any individual who is a violator of applicable laws or regulations, exploiter of a security issue or who attempts to access the data of other users.

We promise to review your submitted report and address the security challenges faced by you in a timely manner. We will also maintain communication with you during the investigation and inform you once the issue is resolved. We will restrain from taking legal action against you or initiate a legal investigation of you if you’ve made a good faith effort to abide by this policy.

This bug bounty program is dedicated to being aware of online security issues that can potentially affect Arax users. In case you are encountering issues with your individual account, then please mail us on support@arax.io.

Key Points

- Target is Arax Android App – Available on Google Play Store and iOS App Store.
- Arax.io is not part of the Bug Bounty Program.
-Bug bounty program will run from 5th April - 31st May 2019
- Audit reports will be released after the 7th June 2019.
- This program is not open to minors.
- Arax (LALA World) reserves the right to modify the rules for this program or deem any submissions invalid at any time. Arax may cancel the Bug Bounty program without notice at any time.

In Scope Vulnerabilities

High Priority (P1)
- Remote Code Execution (RCE)
- Remote File Inclusion (RFI)
- Significant Authentication Bypass

Medium Priority (P2)
- SQL Injection
- Authorization Flaw
- Sensitive Data Exposure
- Server Side Request Forgery (SSRF)

Low Priority (P3)
- Cross Site Scripting
- Cross-Site Request Forgery (CSRF)
- Open Redirect on Sensitive Parameter
- Improper Direct Object Reference (IDOR)
- Open Redirect

Out of Scope Vulnerabilities

We request you to consider attack scenario/exploit-ability along with the security impact of the issue when reporting a vulnerability. We have mentioned certain types of attacks which are out of scope and won’t be considered in this program. These include:
- Repudiation of service attacks
- Denial of Service
- Phishing attacks
- Social engineering attacks
- Reflected file download
- Disclosure of Software version
- Problems demanding direct physical access
- Bugs requiring remarkably unlikely user interaction
- Vulnerabilities impacting out-of-date browsers and plugins
- Publicly accessible login panels
- CSV injection
- Email enumeration / account oracles
- CSP Vulnerabilities
- Email Spoofing
- Content redaction bypasses (evading the (Hidden by Arax) filter)

Eligibility

All rights of analyzing whether the minimum severity threshold is met and also if the issue has been previously reported, are reserved by Arax Team. Rewards are given completely according to the discretion of Arax Team.

To qualify for a reward under this program, you should:

- You must join LALA World Official Telegram Group.
- Be the first individual to report the bug. Send a clear written description of the problem faced, along with the steps to reproduce the bug.
- Attach files like screenshots or proof of concept code as required.
- Reveal the bug report directly and exclusively to Arax team.
- Mention the impacted endpoints, URL(s) and any other parameters.

Report a bug

- Prepare a detailed report of the bug inclusive of the description of the bug, steps to reproduce the bug, its potential impact and screenshots of the bug reported.
- Upload your bug report here.
- Include your wallet address where you would like to receive the payment.
- Please share your active email ids only, when signing up for the campaign.
- Please allow 7 business days to us to respond.

Disclosure Policy and Rules of Participation

- Do not create multiple accounts to perform testing of Arax applications and services.
- Do not perform brute force testing to check if rate limiting is in place for certain APIs or parts of functionality.
- Social engineering (e.g. phishing, vishing, smishing) is strictly forbidden.
- Make a good faith effort to evade violation of privacy, data destruction, and disruption or degradation of our service.
- You are allowed to test the Arax mobile app and demonstrate its vulnerabilities only from your own account. Hacking into another individual’s account is strictly prohibited.
- We have only mentioned the minimum reward amount below under each category. Our aim is to be fair while granting reward which is totally at our discretion.
- The employees of LALA World or any of its partner companies or the authors of the code where the security flaws have been reported, cannot participate in the Arax Bug Bounty hunt.

Rewards

Our maximum bounty is $5,000.

Reward amounts may vary in regards to the severity, difficulty to exploit, and effect of the reported bug. You will receive your bounty within a time span of 2 weeks from the date of triage in case your report is the chosen winner.

Please note that reward decisions are up to the discretion of Arax. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include:
- A reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information) Self-XSS
- An RCE on an asset that doesn’t house production data.
- Note that bounties will be paid in BTC or ETH.
- We will also be rewarding people who will give us unique and creative suggestions regarding enhancement of our App security and services.

Technical Severity and their Reward Range

P1 High :- $200 - $500
P2 Medium :- $100 - $200
P3 Low :- $25 - $100

For any bounty related queries or questions, Ask only in Bounty Support Group.