EXODUS BOUNTY PROGRAM

Introduction

The EXODUS Bounty Program recognizes contributions of security researchers who invest time and effort to help us make the EXODUS ecosystem more secure. This program provides monetary rewards to those who find vulnerabilities in the EXODUS ecosystem and disclose them to HTC.

Scope of EXODUS Bounty Program

This program covers security vulnerabilities discovered in the latest versions of the following EXODUS features:

  • Zion Vault
  • Zion Trusted Execution Environment (TEE)
  • Zion Key Management Service
  • Social Key Recovery

In the future, HTC may expand the program to cover additional EXODUS features. While we welcome vulnerability reports about any EXODUS feature, reports for other features are not included in this bounty program.

The following issues are considered out of scope:

  • Vulnerabilities that do not affect the Zion Vault.
  • Known vulnerabilities in third party services.
  • Vulnerabilities that we are already aware of or have been previously reported.
Rules: To be eligible to join the EXODUS Bounty Program, you must be:
  • Above the age of majority in the country, state, province, or jurisdiction of residence (i.e. twenty years old in Taiwan).
  • Not a resident of Crimea, Cuba, Iran, Syria, North Korea, or Sudan.
  • Not a person or entity under U.S. export controls or sanctions.
Eligible bugs and bounty levels for EXODUS Bounty Program

You may be eligible to receive a monetary reward if: (a) you submit a Qualified Report as required by this program; (b) you are the first person to submit the vulnerability of covered features; (c) the vulnerability is verified as a valid security issue by HTC; and (d) you fully comply with these terms. The reward range is from $200 USD up to $10,000 USD, depending on the severity of vulnerability and the quality of the report. The reward amount is at the full discretion of HTC. The monetary value of each reward level is as follows:

  • Critical ($10,000 USD)
  • High ($5,000 USD)
  • Moderate ($1,000 USD)
  • Low ($200 USD)
How to report bugs

Follow the report format, provide steps to reproduce the bug, and describe the impact.
Send the report to security@htc.com with PGP encryption

PGP key information

Due to the sensitive nature of security information, HTC provides a method for you to encrypt emailed report to send to HTC via security@htc.com . You can use HTC's Product Security PGP key to encrypt sensitive information sent via email.

A Qualified Report should include the following:
  • A brief statement about the issues’ symptoms, steps to reproduce the issues, and issues’ levels of occurrence.
  • The issue device Build fingerprint by running adb shell getprop ro.build.fingerprint
  • The issue device Kernel version by running adb shell cat /proc/version
  • A bugreport/logcat/CrashDump file including the issue and logged valid issue timestamp.
  • An explanation of the issue in detail at the source code level.
    –  Include source file and function (specify line of code) where the issue is.
  • Steps to reproduce the issue, including sample code where appropriate.
  • Proof of concept; or a malformed file, for example, a media file that reproduces the issue when decoded.
  • Crash artifacts including stack trace (if available)
    –  Full crash stack with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.
    –  ASAN/KASAN crash reports if run with an address sanitizer, with line numbers from llvm-symbolizer, asan_symbolize.py, or ndk-stack.
Ownership of Report Findings

As a condition of participation in this program, you hereby grant HTC, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to disclose, license, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the report findings, as well as any materials submitted to HTC in connection therewith, for any purpose. You should not send us any report findings that you do not wish to license to us.

You hereby represent and warrant that the report is original to you and you own all right, title and interest in and to the report. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the report to HTC. In no event shall HTC be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the report irrespective of their similarity to the information in the report, so long as HTC complies with the terms of participation stated herein.

Legal Statement

You may not participate in this program if you are a resident of or an individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the U.S. Depart of the Treasury’s OFAC). You are responsible for any tax implications arising from your country of residency and/or citizenship.

This program, including its terms, is subject to change or termination by HTC at any time, without prior notice. HTC may amend these terms at any time by posting an updated version on our website.

Your tests and resulting report must not violate any laws.

You may not, and are not authorized to engage in any activity that would be disruptive, damaging or harmful to HTC, its brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or HTC as a whole. HTC does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of HTC users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to HTC in order to extract and publicly disclose data belonging to HTC.

HTC may immediately terminate your participation in this program and disqualify you from receiving any reward if (a) you breach any of these terms or your agreement with HTC; or (b) HTC determines, in its sole discretion, that your continued participation in this program could adversely impact HTC(including but not limited to presenting any threat to HTC’s systems, products, services, security, finances, and/or reputation). Please see our recommendations on the proper procedures for testing our program.

Any information you receive or collect about HTC or any HTC user through the EXODUS Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your report and information you obtain when researching the HTC sites, without HTC’s prior written consent.

In addition to any indemnification obligations you may have with HTC, you agree to defend, indemnify and hold HTC, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of HTC, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your report, your breach of these program terms and/or your improper use of the EXODUS Bounty Program.

Safe Harbor

HTC will not initiate a lawsuit or law enforcement investigation against a security researcher in response to reporting a vulnerability if the security researcher fully complies with this program.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not HTC), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this program, we will take reasonable steps to make it known that your actions were conducted in compliance with this program.

You are expected, as always, to comply with all applicable laws and regulations.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this program.

Questions and Answers

Q: How do I know if my report is eligible for a reward?
A: HTC will notify you if your report is eligible for reward after our internal verification process. We will also inform you once we decide the reward which you should receive.

Q: What if someone else also found the same bug?
A: Only the first report of a bug that we were previously unaware of and has never been disclosed to the public is eligible.

Q: What if my reporting includes several bugs?
A: If you report contains several bugs that are duplicates in different facets of EXODUS (e.g. the same bugged code running on different modules), or part of a larger issue, these bugs may be considered as one report and only one reward may be granted.

Q: What if there are bugs in custom ROMs used on eligible EXODUS devices?
A: This program only covers official versions of ROMs on eligible EXODUS devices.

Q: What if there are bugs in features not listed in this program on eligible EXODUS devices?
A: This program only covers the latest available versions of EXODUS features in scope of this program.

Q: What if I publicly disclose the bug before a patch is available?
A: For security concerns, please hold the disclosure of the bug before we can issue an update. Your report will not qualify for a reward if you disclose the bug to any third party or make it public before a fix is available. Besides, if you disclose the bug after receiving the reward without giving us a reasonable deadline for making a patch available, you may not be eligible for future rewards.

Q: Shall I put personal information in the report for contact and payment purposes?
A: To protect your personal information in our internal verification and investigation process, we suggest you not to include your personal information in the bug report. If you are eligible for a reward, we will contact you at the email address you provide and request for your personal information that are necessary for the payment of the reward.