MIDAS Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

No technology is perfect, and here at MIDAS we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in our software and infrastructure.
If you believe you've found a security issue within our software or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Testing Requirements:

Your initial report to us should include:
- Sufficient details of the vulnerability to allow it to be understood and reproduced by our developers and security team.
- HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence.
- Redact any personal data before reporting.
- Proof of concept code (if available).
- The impact of the vulnerability.
- Any references or further reading that may be appropriate.
- Recommendations on how the issue could be mitigated or resolved.

The following are considered "in scope":
- mid.as (our main public website)
- pentest.mid.as (a hosted test MIDAS system, similar to that used by our hosted customers)
- midas.network (our dedicated service status site, and origin of our CDN)

The following are considered "out of scope":
- Vulnerabilities in 3rd party components or services
- Any of our customer's "hosted" MIDAS systems.

Researchers should;
1. Ensure that any testing is legal and authorized, and within the Scope set out above.
2. Respect the privacy of others, including our customers.
3. Not engage in activities which may impact our customers ability to access to our services, including but not limited to DoS/DDoS-style attacks.
4. Refrain from spamming or social engineering activities.
5. Not make physical attempts against MIDAS property or data centers.
6. Make reasonable efforts to contact our security team.
7. Not demand payment or other rewards as a condition of providing information on security vulnerabilities, or in exchange for not publishing the details or reporting them to industry regulators.

Possible Awards:

We may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher.
Whether a monetary reward is offered and any amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be very small/minor/negligible, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly on our dedicated page: https://security.midas.network/credits

Special Notes:

Full reporting guidelines may be viewed at https://security.midas.network/reporting

Other Submissions Handling