TONBanking Bug Bounty Program 💎🪲

Introducing the Bug Bounty Program

TONBanking Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure. We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.

Step-by-step mechanics for bug bounty participants:

1. Research the scope of the bug bounty program. Before starting the testing, carefully read the scope of the bug bounty program to understand what areas are in scope and what vulnerabilities are eligible for rewards.
2. Find a vulnerability. Please use ethical hacking techniques to find a vulnerability within the scope of the bug bounty program.
3. Document the vulnerability. Once a vulnerability is found, document the details of the vulnerability, including steps to reproduce it, the impact of the vulnerability, and any other relevant information.
4. Submit the vulnerability report through the Bot bug form. Include the documented details of the vulnerability, your contact information, and any additional information that may be helpful. Visual evidence (screenshots or video) is required.
5. Wait for a response. After submitting the vulnerability report, wait for a response from the TONBanking tech team. The response may include additional questions or requests for more information.
6. Provide any additional information or assistance needed to validate the vulnerability.
7. Receive the reward. If the vulnerability is validated and accepted, TONBanking will provide a reward after the launch of the project based on the severity of the vulnerability. A reward will be given to the person who finds the first bug. 
8. Keep the vulnerability confidential until the TONBanking confirms it and releases a patch. Public disclosure of vulnerabilities before confirmation and patch release may disqualify participants from the bug bounty program and may have legal implications.

Rules of Engagement

Prior to testing, we will provide test tokens to each registered participant to facilitate test transactions.

To help us distinguish between good-faith hacking and malicious attacks, you must follow these rules:

• You are authorized to perform testing in compliance with this policy.
• Follow this policy and any other relevant agreements. In case of inconsistency, this policy takes precedence.
• Promptly report discovered vulnerabilities.
• Refrain from violating privacy, disrupting systems, destroying data, or harming user experience.
• Use TONBanking Private chat for vulnerability-related communication.
• Keep vulnerability details confidential until authorized for release by TONBanking tech team, which aims to provide authorization within 60 days of report receipt.
• Test only in-scope systems and respect out-of-scope systems.
• Do not access, modify, or use data belonging to others, including confidential TONBanking data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.
• Interact only with your own accounts, unless authorized by TONBanking.

Please notion that the speed of the testnet may differ from the actual speed of the Internet!

The testing procedure

The TONBanking testing procedure consists of several steps to ensure the proper functioning of the platform and enable users to perform transactions successfully. The following is a step-by-step guide to the testing process:

1. The 15K test tokens.
   A total of 15,000 testTON will be issued for testing purposes. These test tokens will be utilized to perform various transactions and ensure that the platform is functioning as expected.

TONBanking Agent Sending Test Tokens.
An agent from TONBanking will send 50 test TON to the tester's wallet. To receive these tokens, the tester must register a wallet through the TONBanking web app, which can be accessed via the @tonbanking_bot

1. Use of testTONB tokens.
   Testers can freely use the test TONB tokens for various purposes, including:
   a) Swapping test TON/TONB tokens: Testers can swap test TON tokens for test TONB tokens and vice versa using the mint and burn functions on the platform.
   b) test TONB P2P transfers: Testers can perform peer-to-peer transfers of test TONB tokens to ensure that transactions are processed correctly and promptly.
   c) Test payments on test merchants: Testers can make payments to test merchants on test merchants site (https://test-merchant-site.tonb.io/) to confirm that the payment process is seamless and user-friendly.
   d) Merchant user-journey testing: Testers should also evaluate the user journey from the merchant's perspective on merchant site, ensuring that it is smooth and efficient (https://merchant.tonb.io)

By following this testing procedure, testers can identify any issues or areas of improvement in the TONBanking platform before it is launched to the public. This process helps ensure a positive user experience and a reliable platform for both users and merchants.

Duration

2 weeks

Scope and rewards

Scope

• Website
• API
• Web app
• Smart contracts
• Backend systems

Levels of severity

There are several levels of bugs severity

• Low Severity: Bugs that do not pose a significant security risk, such as UI issues, minor functionality bugs, or non-critical information leaks.
  Bounty range: $30 (TONB equivalent)
• Medium Severity: Bugs that have a moderate impact on security, such as moderate information leaks or cross-site scripting attacks.
  Bounty range: $30-$200 (TONB equivalent)
• High Severity: Bugs that have a critical impact on security, such as remote code execution (RCE) or server-side request forgery (SSRF) vulnerabilities.
  Bounty range: $200-$2000 (TONB equivalent)

Vulnerabilities

The following types of vulnerabilities are eligible for rewards:

• Remote code execution
• SQL injection
• Cross-site scripting (XSS)
• Authentication bypass
• Privilege escalation
• Denial of service (DoS)

Bug categories

The following bug categories samples are in scope (with criticality on a 10-point scale):

• Significant interface distortion or other visible failures in the application that do not prevent the application from performing its functions (1 points - Low severity)
• Significant interface distortion or other visible failures in the operation of the application, making it impossible to perform one or more functions of the application (2 points- Low severity)
• Inconsistency of the displayed status of the completed operation with the actual status of its execution, for example - the application reports that the funds have been transferred, but in fact they remained on the wallet (2 points - Low severity)
• Possibility to confirm authorization/actions for other users (9 points - High Severity)
• Possibility to get access to another merchant's personal account (10 points - High Severity)
• The ability to fictitiously pay the invoice: the recipient does not receive funds or does not receive the entire amount, but the TONB wallet records that the invoice has been paid (success) (10 points - High Severity)
• Ability to get the id of another TONB wallet or merchant user (7 points - Medium Severity)
• Possibility to get id and wallet addresses of another user (purse address linked to id) (8 - Medium Severity)
• Full access to another user's wallet (10 points - High Severity)

Possible events

Sample list of actions that must be completed as part of testing the TONBanking product. Any deviations from these actions are possible and acceptable.

1. Create a wallet in TONB wallet [alternatively p2]
2. Restore wallet using passphrases (import to TONB wallet) [alternatively p1]
3. Send another user 1 testTON. Check the transaction in the transaction history. Calculate the transfer fee. The user's address is entered by copying and pasting it from the clipboard.
4. Send another user 1 testTON. Enter the user's address by copying and scanning the QR code from the main page of the application. Specify the transfer amount in the field for entering the amount to be received.
5. Send another user 1 testTON. Enter the user's address by copying and scanning the QR code from the address entry page.
6. Receive 1 testTON from another user. Check the transaction in the transaction history. Calculate the transfer fee.
7. Run a mint 2 testTONB. Check transactions in TON/TONB transaction history. Calculate commission per minute.
8. Send another user 1 testTONB. Check transactions in TON/TONB transaction history. Calculate the transfer fee.
9. Receive from another user testTONB in the amount of ~ 2 USD. Enter the amount in USD. Check transactions in TON/TONB transaction history. Calculate the transfer fee.
10. Make a payment request (request payment) in the amount of 2 testTONB. Check account status in the account list.
11. Receive a payment on an invoice in the amount of 2 testTONB. Check transactions in TON/TONB transaction history. Calculate the transfer fee.
12. Pay an invoice in the amount of 2 testTONB. Check transactions in TON/TONB transaction history. Calculate the transfer fee.
13. Burn 1 testTONB. Check transactions in TON/TONB transaction history. Calculate the incineration fee.
14. Register in the merchant's personal account
15. Create a merchant wallet. Select a merchant's wallet to receive payments on invoices from the merchant's website. [alternatively p16]
16. Restore the merchant's wallet using passphrases (import). Select a merchant's wallet to receive payments on invoices from the merchant's website. [alternatively item 15]
17. Check out the tutorial
18. Enter domain parameters, get API key.
19. Add a widget to a third-party site and use it to pay an invoice in the amount of 2 testTONB. Check the transaction history in the wallet. Check the history of accounts in the merchant's personal account.
20. Implement on the merchant's website tracking changes in the status of accounts through webhooks. Check if webhooks are called correctly
21. Log in to the merchant's personal account by scanning the QR code from the wallet (webapp)
22. Log in to the merchant's personal account by scanning the QR code on the phone
23. Log in to the merchant's personal account by following the link in telegram

Incentives and rewards

To incentivize testing and as a token of our appreciation, we will be offering cash rewards based on the severity and impact of the reported issues. Our rewards range from $30 (TONB) for low-severity findings to up to $2000 (TONB) for exceptional discoveries. We recognize the importance of your contributions and are committed to acknowledging your efforts.

Validation

TONBanking will validate the vulnerability report and assign a severity level to the vulnerability. The reward amount will be determined based on the severity of the vulnerability.

Public disclosure

Researchers are not allowed to publicly disclose vulnerabilities until the TONBanking has confirmed the vulnerability and has released a patch

Accidental Disclosure: Insecure POC video sharing

It is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (that is, YouTube, Imgur, and so on). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password.

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding Target Systems, information regarding the target of a crowdsourced security program (including, as may be applicable, any merger, acquisition or sale discussions or transactions), pricing information, business information, fees and amounts paid to Researchers and existence of and terms of private crowdsourced security programs. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the Researcher uses to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information.

ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF THE PROGRAM OWNER UNLESS OTHERWISE STATED IN THE BOUNTY BRIEF. This means no submissions may be publicly disclosed at any time unless the Program Owner has otherwise consented to disclosure.

As part of this policy, we commit to:

• Provide protection, as outlined below, for vulnerability research conducted according to these guidelines.
• Cooperate with you in understanding and validating your report, ensuring a prompt initial response to your submission.
• Remediate validated vulnerabilities in a timely manner.
• Acknowledge and credit your contribution to improving our security, if you are the first to report a unique vulnerability that leads to a code or configuration change.

Join Testnet: @tonbanking_bot

English Channel: @tonbanking

Russian Chat: @tonbanking_ru

Website: tonb.io