bitaccess

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
bitaccessbtm.com URL low medium medium critical
#BTM Our flagship product, the BTM, is a Bitcoin ATM. Other than a physical kiosk, this asset is also comprised of a consumer website (https://bitaccessbtm.com/account/signin), as well as an administration panel for BTM owners (https://op.bitaccesbtm.com). You can get an idea of how a BTM works by viewing this video: https://www.youtube.com/watch?v=6DqqVN0LXrI #Risks - Ability to gain unauthorized access to a users account history - Ability to gain unauthorized access to the administration panel - Ability to sell Bitcoins to a Kiosk remotely, and be able to collect cash without actually sending the Bitcoin - Gaining access to private data from secured APIs #Target Domains - https://bitaccessbtm.com - https://op.bitaccessbtm.com #Scope and Off limits DO NOT: - DDoS the service - Generate hundreds of accounts for fun - Send SMS's to anyone who is not you If you do this, you will be banned from our program and API promptly DO: - Use the service like a regular user would - Play with requests & authentication - Try to get the service to pay you more than you are owed
faa.st URL none low low medium
#faast Faast is a simple API service allows for swapping of one cryptocurrency to another. The documentation of this api is available here: https://api.faa.st Video of the product: https://twitter.com/goFaast/status/1163933942833172481 #Risks The major risk with this API are: - Double payout - Private information leak #Scope & Off Limits: DO NOT: - DDoS the service - Generate thousands of swaps for fun If you do this, you will be banned from our program and API promptly DO: - Use the service like a regular user would - Play with requests & authentication - Try to get the service to pay you more than you are owed #Double Payouts, Over-payout The biggest risk of this API are double payouts. What that means is, creating a swap, making a single deposit, and getting more than a single payout (for that one deposit) Another risk would be being able to manipulate pricing of swaps. For example, creating a swap for 1 ETH, depositing 0.1 ETH, and having the system thing you actually deposited 1 ETH. #Private information Faast collects very little information currently, so private information in scarce. There is a chance you can try to leak another users IP address. We don't think its possible. #Test API There is a test API available at: - https://testapi.faa.st It is highly experimental, but if you want to try to play with Testnet BTC or ETH, have fun. Please note that only vulnerabilities which can be replicated on production are eligible for bounties.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity