Bug Bounty Programs
Avana Wallet participates in bug bounty programs. We appreciate the value-add of pen-testing and believe that a robust codebase is of utmost importance. We pay out bounties for valid bugs only - the bug must meet a minimum set of criteria detailed in the programs.
Our security.txt file is located at https://www.avanawallet.com/.well-known/security.txt.
Current Programs
Guidelines
We ask you to follow these guidelines when pen-testing:
- Only report relevant vulnerabilities within the program scope. The team does not respond to low-quality submissions outside of the program scope.
- Rate throttle API requests (max 60/minute).
- Rate throttle HTTP requests (max 60/minute).
- Add 'Pentest' to User Agent header.
- No email spam or phishing attempts.
- Denial of service (DoS) attacks on Avana Wallet applications, servers, networks or infrastructure are strictly forbidden.
- Avoid tests that could cause degradation or interruption of our services.
- Do not use automated scanners or tools that generate large amount of network traffic.
- Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
- Do not copy any files from our applications/servers and disclose them.
- No vulnerability disclosure, full, partial or otherwise, is allowed.
Reporting Bugs
Please contact security@avanawallet.com to report any potential issues. Include your name or alias and a detailed write-up of the issue.
Our Security Team will get back to you quickly. Please allow our team a reasonable amount of time to address the issue and push updates before publicly disclosing bugs. Leaking bugs before they have been addressed will invalidate any potential bounty payments.