Helium

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
API OTHER low low medium high
## Vulnerabilities associated with the Helium Blockchain API. ### Scope of work restricted to transaction management. - Ability to corrupt API records with malicious data - Ability to interfere with normal processing of pending transaction and cause transactions to be lost - Ability to impersonate api.helium.io
Blockchain OTHER high medium high critical
## Vulnerabilities associated with the Helium Blockchain. ### Scope of work restricted to malicious transactions. - Any ability to insert an unknown transaction in the current blockchain. This would be considered a catastrophic failure and would halt the chain. - Any ability to double spend. This is considered malicious behavior by any actor on the chain, however, this will not halt the chain. - Any ability to replay the same transaction again. - Any ability to modify an existing or pending transaction and have said transaction successfully clear. ### Cryptographic vulnerabilities. - Any ability to change the outcome of the next consensus group election would be considered as a catastrophic failure. - any ability to impersonate a member of the consensus group - Any ability to defeat the threshold signature and threshold decryption scheme - Any ability to bypass the cryptographic safeguards in the distributed key generator
Helium Hotspot HARDWARE medium medium high critical
## Vulnerabilities associated with Hotspot hardware. ### Scope of work restricted to radio interference Any ability to interfere with a radio packet that is within legal bounds and causes an internal failure in the radio processing path AND degrades reception or transmission of subsequent radio packets. ### Scope of work restricted to Helium Hotspot hardware Ability to place software on a remote Helium Hotspot that runs on boot as a permanent backdoor installation. ### Scope of work restricted to retrieving private key-store information. * Any ability to read private key information from secure key element is a critical failure * Any ability to inject incorrect or malicious key information (MITM) into typical operating communications to and from the Hotspot would be considered a severe issue.
burrow.helium.systems URL medium high medium critical
The scope of the burrow service is restricted to the following: - Ability to ssh into burrow.helium.systems and connect to consumer Helium Hotspots. - Ability to revoke ssh access to server at burrow.helium.systems by other Helium employees.
com.helium.mobile.wallet APPLE_STORE_APP_ID low medium low high
The scope of the mobile app is restricted to the following: - Ability to intercept and retrieve private wallet address - Ability to intercept and retrieve private hardware keys of Hotspot while in bluetooth pairing mode - Ability to access secure storage of mobile app - Ability to gain access and bypass security settings of the mobile app (FaceID, PIN, Fingerprint)
com.helium.wallet GOOGLE_PLAY_APP_ID low medium low high
The scope of the mobile app is restricted to the following: - Ability to intercept and retrieve private wallet address - Ability to intercept and retrieve private hardware keys of Hotspot while in bluetooth pairing mode - Ability to access secure storage of mobile app - Ability to gain access and bypass security settings of the mobile app (FaceID, PIN, Fingerprint)
console.helium.com URL low medium low high
The scope of the Console application is limited to the following: ## Qualifying Vulnerabilities * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Unauthorized access to customer account or data * Server-Side Request Forgery * Remote Code Execution * SQL Injection * Unauthorized Access to Customers Accounts * View or modify database records outside of your authorization scope ## Non-Qualifying Vulnerabilities * Clickjacking on static websites * Missing HTTP Headers which do not directly lead to a vulnerability * Password complexity policies * Password-reset and account-invitation expiration policies * Phishing and social engineering (of users and Helium employees) * Reports for out-of-date software (lacking a proof-of-concept) * SPF and DKIM records * SSL/TLS protocol vulnerabilities * Security best practice concerns
ota.helium.com URL high medium high critical
The scope of the over-the-air update server is restricted to the following: - Ability to hijack or impersonate web server at ota.helium.com so that Helium Hotspots download and apply a malicious update. - Ability to steal or crack the private key used to sign Helium Hotspot updates pointed to by ota.helium.com for downloading. - Ability to upload and provide a malicious OTA image - Ability to remotely access to the OTA server
www.helium.com URL none none low low
The scope of helium.com is restricted to the following: ## Qualifying Vulnerabilities * Cross Site Scripting (XSS) * Cross Site Request Forgery (CSRF) * Server-Side Request Forgery * Remote Code Execution * Ability to modify content ## Non-Qualifying Vulnerabilities * Clickjacking on static websites * Missing HTTP Headers which do not directly lead to a vulnerability * Phishing and social engineering (of users and Helium employees) * Reports for out-of-date software (lacking a proof-of-concept) * SPF and DKIM records * SSL/TLS protocol vulnerabilities * Security best practice concerns

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.helium.foundation URL none
*.helium.wtf URL none
Telegram, Slack, Helium Forums OTHER none
dashboard.helium.com URL none
network.helium.com URL none
https://github.com/helium/helium-console-cli OTHER none
www.helium.com/store URL none
whitepaper.helium.com URL none
whitepaper.helium.com and its associated public AWS buckets are out of scope.
https://heliumdashboard.grafana.net URL none
This service is not hosted by Helium and is out of scope.