Pollen Mobile Docs

🐛Bug Bounty Program

Pollen Mobile rewards individuals who share with us vulnerabilities, issues, and the methods used to exploit them. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Our priority is to resolve confirmed issues as quickly as possible to protect our customers and the integrity of the network. Pollen Mobile offers public recognition for those who submit valid reports and provide compensation commensurate with the level of vulnerability identified.

Eligibility

In order to be eligible for a Pollen Mobile Security Bounty, the issue must occur on an active, available, version of the Pollen Mobile Core, the Pollen Mobile Bumblebee, or the Pollen Mobile Honeybee for iOS application. Researchers must:

  • Be the first to report the issue to Pollen Mobile

  • Provide a clear report, which includes a working exploit

  • Not disclose the issue publicly before Pollen Mobile releases an advisory for the report

Bounty Categories

Bounty payments are determined by the severity level of the report. A maximum amount is set for each category, and the exact payment amounts are determined after review by Pollen Mobile. All issues with significant impact to users will be considered, even if they do not match the published caregories below. Bounty payments are dispensed at the discretion of Pollen Mobile.

LevelExamplesReward

P0 Critical

  • Take down the network

  • Exploit the home wallet

  • Expose source code for non-open components

  • Unauthorized access to Network Core

  • Unauthorized access to Network Subscriber database

  • Unauthorized access to None-Core Pollen Infrastructure

1,000K - 100K PCN

P1 Severe

  • Expose user traffic

  • Compromise IEPS (where enabled)

  • Smart contract bugs that lead to unauthorized data credit generation or erroneous PCN transfer

  • Take over a user's NFTs

  • Accessing Flower operator's local network via user equipment

100K - 50K PCN

P2 Minor

  • Spoof flowers

  • Spoof User Traffic

  • Unauthorized access to Flower configuration/settings

50K - 1K PCN

P3 Nuisance

  • Spoof HoneyBee Pollen Drop rewards

  • Steal the NFTs pre-minting

1K - Kudos

Reporting and Payout Guidelines

The purpose of the Pollen Mobile Bug Bounty Program is to protect our customers, their data, and contribute to the strength of the network by understanding vulnerabilities. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Pollen to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.

A complete report includes:

  • A detailed description of the issues being reported

  • Any prerequisites and steps to get the system to an impacted state

  • Enough information for Pollen to reproduce the issue.

Additional Requirements

Issues that require the execution of multiple exploits, as well as one-click and zero-click issues, require a full chain for maximum payout. The chain and report must include:

  • Both compiled and source versions.

  • Everything needed to execute the chain.

  • A sample non-destructive payload, if needed.

  • A full report

Sending Your Report

Send your report by email to vp@pollenmobile.io. Include relevant videos, crash logs, and system diagnosis reports in your email. Please DM @zeusdog in Discord if you have any questions or require additional support or guidance in submitting your report.

PreviousPollen Grants ProgramNextRewards API

Last updated