Pollen Mobile rewards individuals who share with us vulnerabilities, issues, and the methods used to exploit them. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Our priority is to resolve confirmed issues as quickly as possible to protect our customers and the integrity of the network. Pollen Mobile offers public recognition for those who submit valid reports and provide compensation commensurate with the level of vulnerability identified.
In order to be eligible for a Pollen Mobile Security Bounty, the issue must occur on an active, available, version of the Pollen Mobile Core, the Pollen Mobile Bumblebee, or the Pollen Mobile Honeybee for iOS application. Researchers must:
Be the first to report the issue to Pollen Mobile
Provide a clear report, which includes a working exploit
Not disclose the issue publicly before Pollen Mobile releases an advisory for the report
Bounty payments are determined by the severity level of the report. A maximum amount is set for each category, and the exact payment amounts are determined after review by Pollen Mobile. All issues with significant impact to users will be considered, even if they do not match the published caregories below. Bounty payments are dispensed at the discretion of Pollen Mobile.
Take down the network
Exploit the home wallet
Expose source code for non-open components
Unauthorized access to Network Core
Unauthorized access to Network Subscriber database
Unauthorized access to None-Core Pollen Infrastructure
1,000K - 100K PCN
Expose user traffic
Compromise IEPS (where enabled)
Smart contract bugs that lead to unauthorized data credit generation or erroneous PCN transfer
Take over a user's NFTs
Accessing Flower operator's local network via user equipment
100K - 50K PCN
Spoof User Traffic
Unauthorized access to Flower configuration/settings
50K - 1K PCN
Spoof HoneyBee Pollen Drop rewards
Steal the NFTs pre-minting
1K - Kudos
Reporting and Payout Guidelines
The purpose of the Pollen Mobile Bug Bounty Program is to protect our customers, their data, and contribute to the strength of the network by understanding vulnerabilities. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Pollen to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.
A complete report includes:
A detailed description of the issues being reported
Any prerequisites and steps to get the system to an impacted state
Enough information for Pollen to reproduce the issue.
Issues that require the execution of multiple exploits, as well as one-click and zero-click issues, require a full chain for maximum payout. The chain and report must include:
Both compiled and source versions.
Everything needed to execute the chain.
A sample non-destructive payload, if needed.
A full report
Sending Your Report
Send your report by email to [email protected] Include relevant videos, crash logs, and system diagnosis reports in your email. Please DM @zeusdog in Discord if you have any questions or require additional support or guidance in submitting your report.