Bug Bounty Program

Qore3 Vulnerability Disclosure Program (VDP)

Overview

At Qore3, security is foundational to our infrastructure, wallet technology, APIs, and digital asset services. We actively support responsible security research and believe that collaboration with the security community strengthens our ecosystem.

This Vulnerability Disclosure Program (VDP) explains how security researchers and ethical hackers can safely report potential security issues to us. Our goal is to provide a transparent, cooperative, and legally safe process for identifying and resolving vulnerabilities before they can be misused.

Scope of Testing

We welcome responsible testing and reporting of vulnerabilities affecting:

Public-facing Qore3 web applications and dashboards
Qore3 APIs, RPC endpoints, and blockchain-related services
Official Qore3 mobile applications (iOS and Android)
Public infrastructure owned and operated by Qore3 (DNS, email, authentication services)
Qore3-managed open-source repositories

Only assets explicitly listed in the In-Scope Assets section below are eligible for testing under this program.

In-Scope Assets

qore3.com (production web application)
api.qore3.com (REST APIs, RPC endpoints, SDK endpoints)
Official Qore3 iOS and Android applications
Public repositories maintained by Qore3 on GitHub

Out-of-Scope Activities

The following are not permitted under this program:

Testing of internal, staging, or non-public systems
Social engineering, phishing, or impersonation attempts
Denial of Service (DoS/DDoS) or resource exhaustion testing
Physical security testing or hardware tampering
Vulnerabilities in third-party systems not controlled by Qore3
Automated scanning that disrupts production services

If you are unsure whether something is in scope, please contact us before testing.

Safe Harbor Commitment

Qore3 supports good-faith security research. If you adhere to this policy:

We will not initiate legal action against you under applicable computer misuse laws.
We will not involve law enforcement unless there is evidence of malicious intent (e.g., data theft, extortion, disruption).
We will work with you to validate and remediate reported issues.
We may publicly acknowledge your contribution (if you consent).

This safe harbor applies only to activities conducted in compliance with this policy.

How to Report a Vulnerability

Please submit reports via email to: [email protected]

Include the following information:

Summary – Clear description of the vulnerability
Steps to Reproduce – Detailed reproduction instructions
Impact Assessment – Explanation of potential risks or exploit scenarios
Proof of Concept – Screenshots, logs, scripts, or video evidence
Affected Asset(s) – Domain, API endpoint, mobile app version, etc.
Your Contact Information – Name, email, and optional social handle

Reports that are clear, reproducible, and well-documented enable faster triage.

Response & Resolution Timeline

We aim to maintain transparent communication throughout the process:

Acknowledgment: Within 3 business days
Initial Assessment: Within 7 business days
Remediation Timeline: Based on severity and complexity
Status Updates: At least every 14 days until resolution
Public Disclosure Coordination: Mutually agreed prior to any public announcement

Severity Classification

Qore3 evaluates vulnerabilities using CVSS v3.1 scoring methodology.

Critical (9.0–10.0) Examples: Remote Code Execution, Authentication Bypass, Critical Key Exposure

High (7.0–8.9) Examples: Privilege Escalation, Stored XSS leading to account compromise

Medium (4.0–6.9) Examples: Reflected XSS, IDOR affecting non-sensitive data, limited SSRF

Low (0.1–3.9) Examples: Clickjacking, missing security headers, minor misconfigurations

Severity ratings consider real-world exploitability and business impact.

Coordinated Disclosure

We request up to 90 days to remediate reported vulnerabilities before public disclosure.

If remediation is completed sooner, we may coordinate earlier disclosure.
In cases of active exploitation or critical systemic risk, timelines may be accelerated.
Public disclosure should be mutually agreed upon to protect users and the ecosystem.

Rewards & Recognition

Qore3’s Vulnerability Disclosure Program is not a monetary bug bounty program.

However, we value impactful contributions and may offer:

Public acknowledgment (Hall of Fame listing)
Swag or token recognition (at our discretion)
Professional reference upon request

We appreciate responsible security contributions that strengthen our platform.

Legal & Ethical Requirements

By participating in this program, you agree:

To comply with all applicable laws and regulations
To avoid accessing, modifying, or deleting user data beyond what is necessary to demonstrate the issue
Not to exploit vulnerabilities for financial gain or service disruption
Not to publicly disclose vulnerabilities prior to coordinated agreement
Not to request payment or use vulnerability findings as leverage

Violation of these conditions voids safe harbor protections.

Appreciation

We are grateful to the global security community for helping protect Qore3’s digital asset infrastructure. Responsible disclosures help us build a safer and more resilient ecosystem for our users.

If you have questions about this policy, please contact [email protected].

Last updated 1 minute ago

Good morning

hashtagQore3 Vulnerability Disclosure Program (VDP)

hashtagOverview

hashtagScope of Testing

hashtagIn-Scope Assets

hashtagOut-of-Scope Activities

hashtagSafe Harbor Commitment

hashtagHow to Report a Vulnerability

hashtagResponse & Resolution Timeline

hashtagSeverity Classification

hashtagCoordinated Disclosure

hashtagRewards & Recognition

hashtagLegal & Ethical Requirements

hashtagAppreciation