Bug Bounty Program
Help us build a more secure platform. Report security vulnerabilities and earn rewards for responsible disclosure.
Program Overview
At Asomi, security is our top priority. We believe that working with skilled security researchers across the globe is crucial in identifying weaknesses and keeping our users safe. Our bug bounty program is designed to reward researchers who help us discover and fix security vulnerabilities.
Mission: To create the most secure cryptocurrency wallet platform by collaborating with the global security research community.
We encourage responsible disclosure and provide clear guidelines for reporting security issues. All valid reports will be reviewed promptly, and eligible findings will receive monetary rewards based on their severity and impact.
Reward Structure
Rewards are determined based on the severity of the vulnerability, the quality of the report, and the potential impact on our users and platform. The following table outlines our reward structure:
| Severity Level | Impact Description | Reward Range |
|---|---|---|
| Critical |
Remote code execution, complete system compromise Vulnerabilities that allow attackers to execute arbitrary code, access user funds without authorization, or completely compromise the platform. |
$5,000 - $25,000 |
| High |
Significant security bypass, data breach potential Authentication bypasses, privilege escalation, access to sensitive user data, or vulnerabilities affecting multiple users. |
$1,000 - $5,000 |
| Medium |
Limited unauthorized access or functionality bypass CSRF attacks, limited data exposure, rate limiting bypasses, or vulnerabilities with moderate impact. |
$250 - $1,000 |
| Low |
Minor security issues with minimal impact Information disclosure with limited sensitivity, minor logic flaws, or issues with minimal security impact. |
$50 - $250 |
Note: Final reward amounts are determined at Asomi's discretion based on the actual impact and quality of the security report. Exceptional reports may receive bonuses beyond the standard ranges.
Scope and Targets
In Scope
Web Application
Main Asomi web platform, user interfaces, and web-based wallet functionality
Mobile Apps
iOS and Android mobile applications and their backend services
APIs
REST APIs, GraphQL endpoints, and integration APIs used by our platform
Smart Contracts
Deployed smart contracts and blockchain integrations (when applicable)
Out of Scope
Social Engineering
Attacks targeting Asomi employees or users through deception
DoS Attacks
Denial of service attacks or network flooding attempts
Physical Security
Physical access to Asomi facilities or infrastructure
Automated Scanning
Automated vulnerability scanners without manual verification
Submission Process
Identify Vulnerability
Discover a security vulnerability within our defined scope. Ensure it's not a duplicate of a previously reported issue.
Document Findings
Create a detailed report including steps to reproduce, impact assessment, and potential mitigation strategies.
Submit Report
Send your report through our secure submission form or email with all necessary details and proof of concept.
Initial Review
Our security team will acknowledge receipt within 24 hours and provide an initial assessment within 5 business days.
Validation & Fixing
We'll validate the issue, determine severity, develop a fix, and keep you updated throughout the process.
Reward Payment
After successful validation and fixing, we'll process your reward payment and provide public recognition if desired.
Reporting Guidelines
What to Include in Your Report
- Clear Description: Explain the vulnerability and its potential impact
- Steps to Reproduce: Detailed, step-by-step instructions to reproduce the issue
- Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
- Impact Assessment: Explain how this could affect users or the platform
- Suggested Fix: If possible, provide recommendations for remediation
- Environment Details: Browser, OS, device information where applicable
Best Practices
- Test only against your own accounts or with explicit permission
- Do not access or modify other users' data
- Avoid any actions that could degrade service performance
- Report issues as soon as possible after discovery
- Provide clear and professional communication
- Be patient during the review and remediation process
Quality Matters: Well-documented reports with clear proof of concept and impact assessment receive priority review and may qualify for bonus rewards.
Program Rules and Terms
Eligibility Requirements
- You must be the first to report the specific vulnerability
- The vulnerability must be within our defined scope
- You must not publicly disclose the issue until we've had reasonable time to fix it
- You must not access or modify user data without explicit permission
- You must comply with all applicable laws and regulations
Disqualifications
- Vulnerabilities in third-party services not directly controlled by Asomi
- Issues that require physical access to user devices
- Reports based solely on automated scanning tools without manual verification
- Social engineering attacks targeting Asomi employees or users
- Denial of Service (DoS) attacks
- Spam or low-quality submissions
Legal Safe Harbor
Asomi supports security research conducted under this program. If you comply with our program guidelines and terms, we will not pursue legal action against you for your security research activities.
Important: This safe harbor applies only to research conducted within the bounds of this program. Unauthorized activities outside these guidelines may result in legal action.
Submit Security Report
Alternative Contact Methods
If you prefer not to use the form above, you can also reach our security team directly:
Email: contact@asomivalicanters.com
Subject Line: [SECURITY] Bug Bounty Report
PGP Key: Available upon request for sensitive communications
Response Time: Initial acknowledgment within 24 hours