Linen App bug bounty

Linen App allows individuals to interact with their crypto assets in a user-friendly way. We do not take custody of any user’s assets, so our security policy is centered on how well our software allows people to safely and privately interact with their own assets.

General rules and guidelines

  • Decisions on the eligibility and size of a reward are the sole discretion of Linen App.

  • Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and the Linen App team until we’ve resolve the issue. Public disclosure of a vulnerability makes it ineligible for a bounty.

  • Provide us with at least 5 working days to investigate the issue and respond to you.

  • Any vulnerabilities should be submitted via the form below.

  • Issues without steps to reproduce are ineligible for the bug bounty.

  • Issues must be new to the team. They can’t have already been identified by another user or by our audit.

  • When possible, avoid privacy violations, degradation of user experience, disruption to production systems or data during security testing.

  • No employees, contractors or others with current or prior commercial relationships with Linen Mobile, Inc. are eligible for rewards.

  • Any activities conducted in a manner consistent with the rules and guidelines will be considered authorized conduct and we will not initiate legal action against you.

Scope

Out of scope

  • MITM/physical access to a user’s device

  • SSL/TLS Configuration

  • Denial of Service attacks

  • Any third party service used by Linen App

  • Spam or Social Engineering techniques, including SPF and DKIM issues

  • Theoretical vulnerabilities without actual proof of concept

  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

  • Linen landing page: https://linen.app/

  • Linen Blog: https://blog.linen.app/

  • Linen Learn: https://learn.linen.app/

  • DNSSEC setup

Rewards

Only the issues under the scope described above are eligible for the reward.

Reward will be paid in USDC or cUSDC token to the Ethereum address provided by you. Please make sure that you will be able to withdraw USDC form the address provided.

The reward level will be based on CVSS score, the quality of the issue description and will be determined at the sole discretion of the Linen App team.

Critical

(CVSS 9.0 – 10.0)

$500 – $1000

High

(CVSS 7.0 – 8.9)

$150 – $500

Medium

(CVSS 4.0 – 6.9)

$30 – $150

Low

(CVSS 0.0 – 3.9)

$0 – $30

Hall of fame

Bug bounty submission form

Please include a detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us). Please submit additional materials (like screenshots) as links in the description.

Your name/handle and your link for recognition will be attached to the Hall of Fame (twitter, reddit, facebook, hackerone, etc.)