Bug Bounty Program (Web)

Welcome to the Neptune Mutual Web Vulnerability Disclosure Program!

At Neptune Mutual, we take the security of our systems and the data they contain very seriously. We understand that security vulnerabilities can arise from time to time, and we are committed to working with the community to identify and fix any issues as quickly as possible.

To that end, we have implemented a bug bounty program to encourage responsible reporting of vulnerabilities in our web-based systems. If you believe you have discovered a vulnerability, we encourage you to let us know right away so that we can address it.

Services in Scope#

For this program, we reward vulnerabilities submissions for the following system

Services/Vulnerabilities Not in Scope#

  • Neptune Mutual Protocol Smart Contracts
  • Reports from unconfirmed automated online vulnerability scanners (Acunetix, Vega, etc.).
  • Any imaginary vulnerability or best practices devoid of POCs. Autocomplete attribute present in web forms. Flaws that impact obsolete browsers or platforms. 
  • Absence of security-relevant HTTP headers that do not directly lead to a vulnerability.
  • Inclusion/exclusion of SPF/DMARC records.
  • Insecure SSL/TLS ciphers  (unless you have a working proof of concept that leads to vulnerability). Best practices related to SSL/TLS.
  • Mixed content warnings. 
  • User account or wallet enumeration attacks.
  • Self XSS
  • Denial of Service Attack (DOS or DDOS)
  • Lack of Rate Limiting
  • Brute force / password reuse attacks.
  • Issues with Directory Traversal. Disclosure of publicly available files and directories (e.g. robots.txt, sitemap.xml, atom.xml, etc). Software version, path, or stack traces disclosure.
  • Massive automated platform actions through crawling (except if it gathers sensitive information from members).
  • Attempts at physical or social engineering. Problems that need physical access to the computer or device of the victim.
  • Vulnerabilities in third-party dependencies, services, and applications that we employ should be reported directly to the relevant project. Recently leaked zero-day exploits. Just-disclosed reports of known vulnerabilities in subcomponent parts (such as OpenSSH). We intend to implement security updates within 30 days, thus reports about recently published vulnerabilities are irrelevant.

Qualifying Vulnerabilities#

  • SQL or MongoDB Injection.
  • Exposure of sensitive members information.
  • Exposure of configuration files or secrets.
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA).
  • Local File Disclosure (LFD).
  • Code injections.
  • Cross-Site Scripting (XSS).
  • Cross-Site Requests Forgery (CSRF).
  • Server-Side Request Forgery (SSRF).
  • Remote Code Execution (RCE).
  • Access Control Issues.
  • Server-side code execution bugs
  • Others

How to Participate?#

To participate in this program, please follow the guidelines below:

  • Provide a clear and succinct description of the vulnerability, including the steps required to reproduce it via standard *nix tools and commands. You must be the first person to report a vulnerability to be eligible for a reward.
  • Do not reveal the vulnerability to the public or share it with third parties until it has been resolved.
  • Do not exploit the vulnerability or harm our systems or data in any way.
  • If the same vulnerability exists across different products, please combine and submit a single report.
  • In cases of report duplication, we will only count the first report received as valid, and all future reports will be flagged as duplicates.

Please don't try to launch denial-of-service (DoS) attacks, utilize black-hat search engine optimization (SEO) techniques, spam other users, or attempt to brute force authentication, as doing so could adversely affect the availability of our services for everyone. Also, it's not a good idea to use automated vulnerability testing tools that create a lot of traffic.

In return, we promise to:

  • Respond to your report within 72 hours.
  • Keep you updated on the progress of the investigation and resolution of the vulnerability.
  • Acknowledge your contribution in a timely manner, once the vulnerability has been fixed.

We are committed to working with the security community to ensure the security of our systems. We appreciate your work to help us find and fix any security vulnerability in our systems, and we're grateful for what you've done to make our systems safer.

Submit Vulnerability

Awards:#

  • Informational: $0
  • Low Severity: Up to $50
  • Medium Severity: Up to $100
  • High Severity: Up to $200
  • Critical Severity: Up to $500

Thank you for your participation in the Neptune Mutual Web Vulnerability Disclosure Bug Bounty Program. Together, we can make sure that our systems and the data they hold are safe and secure.

Disclaimer:#

We are unable to issue rewards to persons on sanction lists or who reside in sanctioned countries (such as Cuba, Iran, North Korea, Sudan, and Syria). Depending on your place of residence and citizenship, you are responsible for all tax consequences. Depending on local regulations, there may be further constraints on your ability to enter. This is an experimental and discretionary rewards scheme, not a competition. You must realize that we have the right to discontinue the program at any moment and that the decision to award a reward is solely within our discretion. Obviously, your testing cannot breach any laws or interrupt or jeopardize third-party data.

By