Skip to main content

Bug Bounty Programs

Avana Wallet participates in bug bounty programs. We appreciate the value-add of pen-testing and believe that a robust codebase is of utmost importance. We pay out bounties for valid bugs only - the bug must meet a minimum set of criteria detailed in the programs.

Our security.txt file is located at https://www.avanawallet.com/.well-known/security.txt.

Current Programs

Guidelines

We ask you to follow these guidelines when pen-testing:

  • Only report relevant vulnerabilities within the program scope. The team does not respond to low-quality submissions outside of the program scope.
  • Rate throttle API requests (max 60/minute).
  • Rate throttle HTTP requests (max 60/minute).
  • Add 'Pentest' to User Agent header.
  • No email spam or phishing attempts.
  • Denial of service (DoS) attacks on Avana Wallet applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reporting Bugs

Please contact security@avanawallet.com to report any potential issues. Include your name or alias and a detailed write-up of the issue.

Our Security Team will get back to you quickly. Please allow our team a reasonable amount of time to address the issue and push updates before publicly disclosing bugs. Leaking bugs before they have been addressed will invalidate any potential bounty payments.