Sui Wallet
The following components and vulnerability types are considered out-of-scope for this program:
Sui Explorer
Vulnerabilities within the Sui Explorer, including front-end and smart contract components
SuiFrens
This includes the website, infrastructure and smart contracts
SuiNS
This includes the website, infrastructure and smart contracts
Sui Kiosk and Kiosk Extensions
Code that implements royalty and other enforcements
Third-party Integrations
Vulnerabilities in services, platforms, libraries, or other components not directly controlled by Mysten Labs
Physical Security
Vulnerabilities that require physical access to a user's device or data center
Denial of Service (DoS) Attacks
While we are aware of the potential for DoS attacks, our focus is on vulnerabilities that could lead to unauthorized access or data leakage, so DoS attacks are out-of-scope
Version-specific vulnerabilities
Vulnerabilities that only exist in outdated versions of our products, smart contracts, or wallet extension
Clickjacking
User Interface redress attacks, also known as clickjacking
Tabnabbing
Phishing attack that targets the inactive tabs in your browser
Best Practices
Failure to adhere to "Best Practices" or recommendations (i.e., CWE-200), unless a viable, concrete attack scenario is presented
Self-XSS
Self-Cross-Site Scripting vulnerabilities
Missing HTTP Security Headers
Unless you can demonstrate a concrete security risk, missing security headers will be considered out-of-scope and dismissed with prejudice
Expired SSL Certificates
Attacks
Requiring MITM or physical access to a user's device
Issues
That require unlikely user interaction (e.g. entering their seed phrase into a form)
Open redirect
Unless an additional security impact can be demonstrated
Any Reports
From Employees or recently hired auditors
Known Security Issues
From previous reports or Audits set forth below.
zkLogin features
Rules & Rewards
To maintain integrity, avoid potential conflicts of interest, and ensure an effective bug bounty/auditing program, the following restrictions apply:
Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.
Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.
Sanctioned individuals and/or organizations are not eligible to participate in the program.
Responsible Disclosure
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.
Testing should not compromise the privacy of any individual or entity.
How to Submit A Suspected Vulnerability
Participate on HackenProof
Rules & Rewards
Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs.
Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC (Know Your Customer) procedures. Please note that all researchers eligible for a reward will be required to go through our KYC process.
The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.
KYC DOCUMENTS REQUIRED
A government-issued identification document (Passport, National ID, or Driver's License)
Proof of address (Utility Bill, Bank Statement, or any official document showing your full name and address)
Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter.
When conducting vulnerability research, we consider research conducted solely under this program to be:
01
Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith actions that would otherwise constitute hacking;
02
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of our technology controls;
03
Exempt from any restrictions in our Terms of Service (TOS) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
04
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.
Scope & impact
The funds being frozen or locked within the wallet, and otherwise irrecoverable
The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage
Entire set of accounts being irrecoverable using existing flows in the app.
Acknowledgements
Once submissions have been validated, we will make public the identity of participants who elect to have their name (or nickname) published. Otherwise, we will list the participant as anonymous.
