A4 Bug Bounty

We are constantly working to ensure a decent level of security for our products and our users' data. We hope you can help us with this. Below are the rules of our bug bounty program. Please read them carefully.

Vulnerability Category and Rewards

Each participant who is the first to find and report a valid vulnerability can receive a monetary reward. The amount of the reward depends on the criticality of the found vulnerability. Our experts will assess the vulnerability and, based on the analysis, determine the criticality, based on the damage that could result from it.

Critical 100000 A4 Local
High 30000 A4 For Publicly Accessible Asset
Medium 10000 A4 Token Leakage via Host Header Poisoning
Low 3000 A4 Non-Privileged User to Anyone

Send your findings to “[email protected]”. Also please encrypt the content of your emails with this GPG key.
In your email, provide all the information you need about the error found:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGJOKd4BEAC7cd7viKc2fRoXZCEkjjUDLXcjNd1yY3VhY137zK5uD5uc47Be 1ge/Pv6ZTlPZcGAPYjLvAxhie88lkskHWez1XKLkAfUOKUZtwXBRKguh06MlbTVU 1Ikyy8h4B4XoVwlocmIzHf0tqXV5uwOjNcHmOYQwiDGaLejK/Bfe4n6MYxy6vBT3 HrPaIkRmW0Q1mGahQNbLgspeW3QKCj0//x6C6oHCHrcZo6v2xDLDB0aX/lidMD7X wSCu30MfmHrdEd+T+/b1HScJErsJSGHNRSswg/4VkD1G2AwA1EC86SDq9J1Jr0Ob OML7FyIazsDwq+5geC8KvzYq4NdZ2s19+p6kuZgTvPwOjnfisrNvK7RUw0Z8D08Y ro/QXaPzTgnroTyKhO4cz0y71QOhulyujrsTi0LOT/C39SddVMu2tcC4kioiZ3Wp PV5zcj4aW6Ga/z8j2pCKkrthUu1/9oYDr2pc/lFmi0SH2zapQeNAPC4vuNl8gQMF ps7Q/WjzeXC6b4SJVu+dbIj2D1Upyj1h1kGdVzkt8R5rqqjJfQLttqSk7+uQvmxd ZR+gQTPEKKnucRZ7HcV1vFMy4Tu7OuoJMB3H+4Qa6yHLQZl/SyAbI8pGgXF3MBp2 oaleTG/rCx5iQnGXCXOtpS55/ky8zp08UH8rcNBcYbMZkgufFm8Rh4UA1QARAQAB tBxBNC5maW5hbmNlIDxtYWlsQGE0LmZpbmFuY2U+iQJOBBMBCgA4FiEEVjInx9ry bD/Vs6aJZGbaIhx91eEFAmJOKd4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA CgkQZGbaIhx91eG7PRAAsigl6glo2EzlDT9GM942BXjXqslAJ0bmI0L98Six93Jy ZIKPseBl53lA1Ek0/AE/3ZbOMJReWVjsuSeuM0i5n7ZwEYVvGptgFw87bVDP3EEd 1KeSm3++1Zh9T+xfRkvHHNR90njwO1xWGGSmnEUQ4ZRB2jiCW6adp/2niOoke3bL 2mqKS873ymu0MKY3DLy/nUfBKI3XSf5uVwr3aUaXGoHxH3Ea2TMkCmFoirJpsDsP xQEcy8q2aiR2vA4oUixxKQOZypLB8kLdnyzCvABn1G8l6clCbSs1hHOhviidgsaN 47vMZFu3aNqUjKpyuqSTpbChNoNtqYXzcinPD7+Htk3e31GbrmDslk1jzVgr0ZD0 XehYl31HxFNaS4t3V54gSovteVekHpY5wW2jHzZs9In5mLZULwXptONIy1WHf2/6 fO9dlnGwD9hcwgb/+D47hs3Kz/XAcCpKM2XLhuQp0WGtRgNo80MGtGEzHrYluIeO MDnGFL6+YpMPKlcDzGM+R0kuDXazzhsO1vX/o8TATZVGudjz3oq6TN3gzgmGXl8K hsIJi3rL1T+gKat3UtbEOMgUmt9cHfQ2/9GjtIaxWnL5xD3oYahM9T9BGG5NUueP YtRoz/ZMEqhiuXSDlIOnXj7q4eYxnvS+b0vvgTg9Vzxu4+cp4jMoVotLJD8TfVi5 Ag0EYk4p3gEQAK7ZCqQDR5duV5xc56Qy3sjoiirA6vdjSsR2ZXVLXq2M0+QRTh7n +EfB9sieYIzHBgZPL0WArab1XQ0BuhSN6hPTtIBSd6NETzOGsdSRdODp6L81+PVs QINpYdYUSzJ0uF3VeeqLwDbStZxm74Q1yEw/YqKyrZ6jG9Y7j5itjHusVe462Cvj iIqonx/3QdYJa8Cw9u9kB233Snh8t8iGv6+2edBXpmD/tTO/yx2uF5nrp1dnPiPZ ZI6GchEqoLOtyt6XhSrxQyTXaCWAvr0tuCLN5peGVY+23cwd4dCvBJYbopOcHKVw buFlzTxF2LfkzTjJ53Eorr03DFTbBuL5MvgflkuHqbPa9lquEfaSe8iDkMWAyP2h uhNkSsaoOmFAzN+xj9shJCvYLp7WSRnPK3S854i8vefESERdFJsxBvEipLdTepuI YikyNXbA+LtfrEbMgy7C+YC58XPomBTO7sPG7dMMmoCLMQrZz1+JRrkIIJlt/5K0 LvMetmJSzNg9s/jmfoMng30pdrmPXKXdGW756P8DdFJlXzvTC63EoID1YCZvAxac MCx3fELtO1u7jlzu7LRfQYCuN24Fpc6fROnB6061ue7otGsrNVGslCaoR9200zd6 WHqTUJUH1OEn7xIUHJan/jixhMO6zEjvP6b/PVvKIX8IxtcDYYRj7Y83ABEBAAGJ AjYEGAEKACAWIQRWMifH2vJsP9WzpolkZtoiHH3V4QUCYk4p3gIbDAAKCRBkZtoi HH3V4frAEACsL/swrDQ6HbTMjy99ousOpxN8HVdZxhVRxq4547tr0Knj6vFCk6i6 k9X6A1o+Ny4HUCpnJyKa2TEGZxsp/9u8En9/U99s2IbInQ3b9gYlfr7XaSb724qU b2Be74WGjRWb0x7QFmo8z4MUfnIeLFiEXVciQHkYwgxvzv86CglAb6xwhScE87Be BN3Qui1BDqNC/TclbAiIr3/UpZKdAAw9fecfuTFNdAC7voSFtJluodpIgJHlH9U1 q0dycMAV9NqlojbcFXJMGKh/FG08vEHSVTynKLHsGWCTtfl2+f4X7+RDDnaZjTVE UtJtIB4M36XtmQNqtMJ3Zooq5ZWys7epUQDyD8b/Byuy9NagzRfje6nFv9UoQETM ie96qL8Q/l/iXfQMu4tGEkJwRNnq1RVTXAIZdu5dDuAgkYbCUlRo15NGn1IsCG9f uVyWtc9yciG2MnbWAW1QvKx4+cbEWDVBJcoRfk4gMWX0s0AdQVdHW7fG2QudNVJg Mk4BRwlKwTlnnOmWmYFz0NpOAm5+j0WUOh5jD802o1T+zELuUy658sBO6/UISPJW mns4R9wVr8DBRAsg/4yS98ADqUKZ+rvki4StmjwYPYNqQeKrxIJ31jbT5FgAeAwg nkJhbiBx8UB9+K0F2hO0J8W8QXifpzdT2yiUaSlg+/2pqgeeDmbqLg== =fMUI -----END PGP PUBLIC KEY BLOCK-----

  • Vulnerability Category
  • Resume
  • Description
  • Actions to reproduce or proof of concept
  • Any relevant tools, including versions used
  • Tool logs
  • Possible options for fixing from your point of view
Report a bug

Bounty Program rules

  • All error and bug reports should be submitted from the form on the website
  • All bug reports are rated by A4 team and paid based on the severity of the vulnerability.
  • To receive payment for errors and bugs, you need to have an A4 account and link the email address you used to report bugs. Don't forget to report the UID of your A4 account. Rewards will be received in USDT and distributed to the account you specified.
  • A request for a payout in exchange for information about a vulnerability will result in the immediate disqualification from the reward program.
  • Please provide as much detail as possible so that we can reproduce your findings. Otherwise, you may miss out on rewards.
  • For combined vulnerabilities that can be exploited, we only pay for the highest level of vulnerabilities. For the same vulnerabilities, we will only pay for the first one, which contains enough detail in the report.
  • A4 reserves the right to cancel or change the bug bounty rules at its sole discretion.

Exceptions to the Program

We do not consider or accept as vulnerabilities:

  • Messages from security scanners and other automatic scanning tools.
  • Messages without demonstrating the actual existence of the vulnerability.
  • Messages without indicating reliably possible negative consequences.
  • Messages about missing security headers.
  • Attacks that require MITM or physical access to the user's device.
  • Vulnerabilities that only affect users of legacy or vulnerable browsers and platforms.
  • Vulnerabilities that can only hurt yourself.
  • Vulnerabilities we already know about.

Vulnerability categories

Critical vulnerability

  • Access to multiple devices on the internal network.
  • Obtaining superuser access to the main server part, leaking the main data of the enterprise and causing serious damage.
  • Smart contract overflow and conditional competition vulnerability.

High vulnerability

  • Gaining access to the system (getting a shell, executing commands, etc.).
  • Injecting system SQL (reducing backend vulnerabilities, prioritizing sending packets as needed).
  • Get unauthorized access to sensitive information, including but not limited to direct access to the management background by bypassing authentication, cracking backend passwords, SSRF getting sensitive information on the internal network, etc.
  • Random reading of the document.
  • XXE is a vulnerability that can access any information.
  • Unauthorized transaction involves money, payment logic bypass (must be used successfully).
  • Serious logical design defects and technological defects. This includes, but is not limited to, any user login vulnerability, account password batch change vulnerability, logical vulnerability affecting the core business of an enterprise, etc., except for the verification code explosion.
  • Other vulnerabilities affecting users on a large scale. This includes, but is not limited to, XSS storage which can automatically propagate to critical pages. The XSS store can access the admin authentication information and can be used successfully.
  • Lots of source code leaked.
  • Enable defect control in a smart contract.

Medium vulnerability

  • A vulnerability that could affect users through interaction. It includes but is not limited to storage XSS on shared pages, core business related CSRF, etc.
  • General unauthorized work. It includes, but is not limited to, modifying user data and performing user operations bypassing restrictions.
  • Denial of service vulnerabilities. It includes, but is not limited to, remote denial of service vulnerabilities caused by web application denial of service.
  • Vulnerabilities caused by a successful explosion with a system-sensitive operation such as access to the account credentials due to logical flaws in the verification code.
  • Leakage of locally stored confidential authentication key information that needs to be used effectively.

Low vulnerability

  • Local denial of service vulnerabilities. It includes but is not limited to local client denial of service (parsing file formats, crashes generated by network protocols), issues caused by Android component permissions being exposed, application sharing, etc.
  • Leakage of general information. This includes but is not limited to web path traversal, system path traversal, directory browsing, etc.
  • Reflective XSS type (including DOM XSS / Flash XSS).
  • Generic CSRF.
  • URL Skip Vulnerability.
  • SMS bombs, mail bombs (each system accepts only one type of this vulnerability).
  • It is impossible to prove that other less dangerous vulnerabilities are dangerous (for example, a CORS vulnerability that cannot access sensitive information).
  • No return value and no deep use of successful SSRF.