Bounty Program

Security

Rules of engagement

HODL Inc considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. HODL Inc will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities. If legal action is initiated by a third party against you and you have complied with the Terms, HODL Inc will take steps to make it known that your actions were conducted in compliance and with our approval.

No usage of automatic scanners, we'd like to thank you, not ban you.

Your security research should NOT impact the performance of our websites.

All reports should be made by sending an email to security@hodl.group

Reporting Guidelines
  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Quality over quantity!
  • Please do NOT discuss bugs before they are fixed
  • In case a bug was already known to the team it will be flagged as duplicate.

Bounty Tiers

Tier Low Medium High
Tier 1 $50.00 $100.00 $250.00
Tier 2 $25.00 $75.00 $150.00
Tier 3 $0.00 $25.00 $50.00

Website Tiers

Tier Domain
Tier 1 behodl.com
Tier 2 *.hodl.inc, gangsters.com, daddy69.com
Tier 3 boef.nl, earnyourcrypto.com, telfie.com, bulletstarclassic.nl

Severity Assessment

After disclosure using the rules of engagement HODL Inc will assess the report and grade it. The table below is an example of how you can expect your report to be graded.

High

  • Remote code execution
  • SQL Injection
  • Access to all customer data
  • Manipulation of game features giving unfair advantages to multiple players or breaking the game in it's whole
  • Access to another user's account
  • Able to steal funds

Medium

  • Public content manipulation
  • Manipulation of game features giving unfair advantages to 1 player
  • XSS
  • Impersonation of another user

Low

  • Debug stacktraces
  • PHP Info
  • Non persistent XSS