Sui Wallet
Out of Scope
Sui Explorer: Vulnerabilities within the Sui Explorer, including front-end and smart contract components
SuiFrens: This includes the website, infrastructure and smart contracts
SuiNS: This includes the website, infrastructure and smart contracts
Sui Kiosk and Kiosk Extensions: Code that implements royalty and other enforcements
Third-party Integrations: Vulnerabilities in services, platforms, libraries, or other components not directly controlled by Mysten Labs
Physical Security: Vulnerabilities that require physical access to a user's device or data center
Denial of Service (DoS) Attacks: While we are aware of the potential for DoS attacks, our focus is on vulnerabilities that could lead to unauthorized access or data leakage, so DoS attacks are out-of-scope
Version-specific vulnerabilities: Vulnerabilities that only exist in outdated versions of our products, smart contracts, or wallet extension
Clickjacking: User Interface redress attacks, also known as clickjacking
Tabnabbing
Best Practices: Failure to adhere to "Best Practices" or recommendations (i.e., CWE-200), unless a viable, concrete attack scenario is presented
Self-XSS: Self-Cross-Site Scripting vulnerabilities
Missing HTTP Security Headers: Unless you can demonstrate a concrete security risk, missing security headers will be considered out-of-scope and dismissed with prejudice
Expired SSL Certificates
Attacks requiring MITM or physical access to a user's device
Issues that require unlikely user interaction (e.g. entering their seed phrase into a form)
Open redirect - unless an additional security impact can be demonstrated
Any reports from Employees or recently hired auditors
Known Security Issues from previous reports or Audits set forth below.
zkLogin features
Rules & Rewards
To maintain integrity, avoid potential conflicts of interest, and ensure an effective bug bounty/auditing program, the following restrictions apply:
Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.
Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.
Sanctioned individuals and/or organizations are not eligible to participate in the program.
These restrictions are put in place to ensure the objectivity of the program and to prevent any potential conflicts of interest.
Responsible Disclosure
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
No Disruption
If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.
No Harm
Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.
Avoid Compromosing Privacy
Testing should not compromise the privacy of any individual or entity.
How to Submit A Suspected Vulnerability
Please send an email to bugbounty@mystenlabs.com with the following:
Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.
Sanctioned individuals and/or organizations are not eligible to participate in the program.
Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.
These restrictions are put in place to ensure the objectivity of the program and to prevent any potential conflicts of interest.
Detailed steps to reproduce the bug
The potential impact of the bug
Any potential fixes
SLAs & Rewards
Website & Wallet
Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs. Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason. Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (details below).
Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.
Key Verifications
Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC (Know Your Customer) procedures. Please note that all researchers eligible for a reward will be required to go through our KYC process.
The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.
During the KYC process, you may be asked to provide the following:
A government-issued identification document (Passport, National ID, or Driver's License)Proof of address (Utility Bill, Bank Statement, or any official document showing your full name and address)
Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter.
Safe Harbor Policy
When conducting vulnerability research, we consider research conducted solely under this program to be:
Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith actions that would otherwise constitute hacking;
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of our technology controls;
Exempt from any restrictions in our Terms of Service (TOS) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with these terms, please contact us at bugbounty@mystenlabs.com for further guidance.
Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.
Detailed Scope
& Impact
Impact in Scope for Wallet
The funds being frozen or locked within the wallet, and otherwise irrecoverable
The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage
Entire set of accounts being irrecoverable using existing flows in the app.
Critical
Execution of unauthorized system commands
Retrieval of sensitive data/files from the server
Performing state-altering authenticated actions on behalf of other users without their interaction, such as:
Modifying user registration information
Altering NFT metadata
Seizing control of a subdomain through interaction with an already-connected wallet
Direct unauthorized access or theft of user funds
Malicious interactions with an already-connected wallet such as:
Changing transaction arguments or parameters
Substituting contract addresses
Submitting malicious transactions
Direct theft of user NFTs
Injection of malicious HTML or XSS through NFT metadata
High
Seizing control of a subdomain without interaction with an already-connected wallet.
Injection or modification of static content on the target application without the use of JavaScript (Persistent), which could include:
HTML injection devoid of JavaScript
Substitution of existing text with arbitrary content
Unrestricted file uploads, and more
Alteration of sensitive user details (including modifications to browser local storage) without interaction with an already-connected wallet and requiring only a single user interaction, which could include:
Changing a user's email or password
Incorrect disclosure of confidential user information such as:
Email addresses
Phone numbers
Physical addresses
Medium
Injecting/modifying the static content on the target application without
Javascript (Reflected) such as:
Reflected HTML injection
Loading external site data
Redirecting users to malicious websites (Open Redirect)
Low
Taking over broken or expired outgoing links such as Social media handles, etc.
Temporarily disabling user to access target site, such as:
Locking up the victim from login
Cookie bombing, etc