Helping keep HODL secure
The HODL Bug Bounty Program
Security is paramount for HODL, which is why we run an extensive bug bounty program to reward those who can identify bugs and security issues on our platforms.
HODL is a community-driven DeFi project built on the Binance Smart Chain (BSC). HODL is revolutionary and constantly innovating to drive more rewards and value to all holders. It was the first project to reward its holders with BNB and reflections just for holding and has set the record for the biggest payout of all time.
At the heart of HODL is a highly-innovative smart contract that captures tax revenues from buys, sells, and transfers of the token. Our sell bot liquifies these tokens converting them into BNB and then places the funds into the reward pool. By holding HODL you can collect your share of the reward pool every 7-days and will be sent reflections throughout.
- Business logic issues that can cause a loss of liquidity and/or user funds/assets
- Vulnerabilities related to the Smart Contract which allows access to and the transfer of liquidity and/or user funds/assets
- Payment’s manipulation
- Remote code execution (RCE)
- Leakage of sensitive information
- OWASP Top issues such as XSS, CSRF, SQLi, SSRF, IDOR, etc.
- Other vulnerabilities with a clear potential to harm the project, steal funds, or loss in general
Out of Scope
- Theoretical vulnerabilities without actual proof of exploitation (proof of concept)
- Clickjacking/UI redressing with minimal security impact
- Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
- Vulnerabilities in third-party applications & services
- Social engineering, phishing, physical, or other fraud activities
- Any activity (like DoS/DDoS) that disrupts our services
- Email or mobile number enumeration
- Information disclosure with minimal security impact (E.g., stack traces, path disclosure, directory listings, logs)
- Internally known issues, duplicate issues, or issues that have already been made public
- Best practices concerns
- Phishing attack
- Self-XSS that cannot be used to exploit other users
- Content spoofing
- Use of known vulnerable libraries without actual proof of concept
- Exposure of internal IP addresses or domains
- Vulnerabilities affecting users of outdated browsers or platforms
- Missing security headers that do not lead to direct exploitation
- Host header issues without proof-of-concept demonstrating the vulnerability
- CSRF with negligible security impact (E.g., adding to favorites, adding to cart, subscribing to a non-critical feature)
- Issues that have no security impact (E.g., Failure to load a web page)
- Assets that do not belong to HODL or HODLX
- Reports from automated tools or scans
- Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover)
- Recently (less than 30 days) disclosed 0-day vulnerabilities (Reports allowed but no bounty gets paid)
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.
- Don’t break any law and stay within the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not an authorized employee of this Company without appropriate permission
Severity and Payment
- Critical: $750 of either $HODL, $HODLX or HODL Hand NFTs
- High: $500 of either $HODL, $HODLX or HODL Hand NFTs
- Medium: $250 of either $HODL, $HODLX or HODL Hand NFTs
- Low: $75 of either $HODL, $HODLX or HODL Hand NFTs
- Information: No payment
To be deemed valid, a report must demonstrate a software vulnerability in a service provided by HODL that harms HODL or its customers. Reports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
A report must be valid, in scope report to qualify for a bounty. HODL awards bounties based on the severity of the vulnerability. We determine severity based on severity.
From reporting a finding to getting a response from HODL it will take up to seven working days. If the finding is classified and accepted the payout will happen within 24 hours.
To report a finding, please use this Google form: https://forms.gle/2a1FTM81Z3LVRTTMA