Cashrain Bug Bounty Program

How to report vulnerabilities?

If you have discovered a qualifying vulnerability in our code or infrastructure, we would love to hear from you! Before you contact us, please read this entire page and make sure you follow the instructions

- Team Cashrain

How do I report vulnerabilities?

We value reports that are well-structured and which explain the issues clearly. This helps us to reproduce and understand the problem. Well-structured reports will receive higher payouts faster as well. A good resource on how to write bug bounty reports is Andy Gill’s Medium post. https://blog.zsec.uk/stay-beautiful-stay-verbose/ Once your report is ready, please send an email to bugbounty (at) cashrain.com

Qualifying vulnerabilities and awards

- Remote code execution on any of our servers. This includes SQL injection flaws. Server-side request forgeries.
- Remote code execution on any client browser - for example through cross-site scripting.
- Anything that breaks our cryptographic security model, and allows unauthorised remote access to keys or data, or manipulation of them.
- Access control and authentication bypasses which could lead to unauthorised overwriting and deletion of keys or user data.
- Any issue that jeopardises user account data in cases where the associated email address is compromised.

Out of scope vulnerabilities

- Anything that actively requires user interaction, such as phishing and social engineering attacks.
- Weak user account passwords.
- Vulnerabilities that require a large number of server requests to exploit. Attacks requiring a compromised client machine.
- Issues occurring through the use of unsupported or outdated client browsers.
- Any issue requiring physical data centre access (see below for limited scope scenarios that allow for compromised servers).
- Vulnerabilities in third-party operated services, for example resellers.
- Any overloading, resource exhaustion and denial-of-service type of attacks.
- Any scenario relying on forged SSL certificates.
- Anything requiring extreme computing power (2^60 cryptographic operations or more) or a working quantum computer. This includes allegedly predictable random numbers; if you are able to show an actual weakness rather than general conjecture, we may consider that as a qualifying bug report.
- Any bugs or issues unrelated to security vulnerabilities

Special scenarios

Compromised static CDN node (*.cashrain.*)
Let's assume that you have compromised one of our static content servers and are able to manipulate the files (including all JavaScript code) served from it. Can you leverage that achievement to compromise our security? Disclaimer: Influencing user actions through modified image files, while indeed a potential vulnerability in this context, is excluded.

Compromised user storage node (*.cashrain.*)
Let's assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don't have its key. Can you manipulate its content so that it still downloads without error?

Compromised core infrastructure (*.cashrain.*)
This is the most extreme scenario. Let's assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?

Vulnerability classifications

Cashrain classifies vulnerabilities according to severity, on a scale from 1 to 6.

Severity class 6
Fundamental cryptographic design flaws that are generally exploitable.

Severity class 5
Remote code execution on core Cashrain servers such as application programming interface, database and root clusters or major access control breaches.

Severity class 4
Cryptographic design flaws that can be exploited only after compromising server infrastructure, either live or post-mortem.

Severity class 3
Generally exploitable remote code execution on client browsers (cross-site scripting).

Severity class 2
Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack, for example by issuing a fake TLS/SSL certificate plus DNS/BGP manipulation.

Severity class 1
All lower-impact or purely theoretical vulnerability scenarios.

How much can I earn?

We award up to EUR 10,000 per vulnerability, depending on its complexity and impact potential.
As mentioned before, high quality bug and vulnerability reports that are well-structured and documented, with a proof of concept, will be rewarded at the top end each severity class.

Who is eligible for awards?

The first person to report a vulnerability that’s reproducible and verifiable by Cashrain.

Responsible disclosure policy

Please adhere to industry standard responsible disclosure policy, with a 90-day time period from when the reported vulnerability is verified and acknowledged, to give us time to test and deploy any fixes.

Who decides what is a valid vulnerability report?

The decision whether your report qualifies and how much you will earn is at our discretion. While we will be fair and generous, by submitting a bug report, you agree and accept that our verdict is final.