vetrafi-bounty

vetrafi-bounty

@vetrafi
Live

Total reward

$8,000

Findings submitted

29

Start date

6 Jun 2025

Please sign in as a researcher to join the bounty.

Log in
Instructions

VetraFi is modern banking for a new era of service member. Our company is built for the unique needs of service members and veterans, and we seek to empower your financial stability. We put more money into the pockets of America's service members every month through our high yield savings accounts, offer best-in-class features and benefits designed for our fellow troops and veterans.

Scope

In-Scope Targets:

  • Web Interface / Application:
  • Other In-Scope Assets:
    • Mobile app (Android & iOS) - not live yet
    • api.vetrafi.com
    • Any infrastructure related to VetraFi

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

  • Potential In-scope:

    • To modify or delete data not originating to the signed-in user
    • View non-public customer data
    • Directly affect the confidentiality or integrity of user data or the privacy of users
    • Cross-site request forgery (CSRF / XSRF)
    • Persistent cross-site scripting (XSS)
    • XML external entity injections (XXE)
    • Authentication bypass / Unauthorized data access
    • Encryption vulnerabilities
    • Remote code execution
    • SQL Injections
    • Privilege escalation

  • Out-of-Scope Targets:

    • staging.vetrafi.com
    • *.render.com / *.render.app
    • *.vercel.app
    • *.webflow.io

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by VetraFi, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Please report vulnerabilities directly to the cantina.xyz bug bounty platform. Include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue (proof of concept preferred).
  • Conditions under which the issue occurs.
  • Potential implications if exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Severity guidelines:

  • Vulnerabilities that could directly impact financial assets or expose sensitive data at scale are typically classified as Critical.
  • If the issue affects individual users or involves non-sensitive data, the severity may be rated as High or Medium, depending on the context and impact.
  • Findings that require unlikely user actions or have strong mitigating factors—such as being difficult or impractical to exploit—are generally considered Low or Informational.

Likelihood Definitions:

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires very specific conditions.

Payout Guidelines

Risk ScorePayout Range
CriticalUp to $8,000
HighUp to $4,000
MediumUp to $1,000
LowDiscretionary

Note: Actual reward amounts are determined at VetraFi’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Other Terms

By submitting a report, you grant VetraFi the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of VetraFi. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.