Bug Bounty & Responsible Disclosure

1. Introduction

PocketNode welcomes security researchers who responsibly disclose vulnerabilities. We are committed to working with the security community to protect our users. If you discover a security issue, we encourage you to report it to us before making it public so we can investigate and address the problem.

2. Scope — In Scope

• api.pocketnode.org — all backend API endpoints
• pocketnode.org — frontend XSS, CSRF, clickjacking, injection attacks
• Android APK (com.pocketnode) — auth bypass, insecure data storage, reverse engineering findings
• PNODE Smart Contract (0x646FcC4b0F508F53A4556d3d35DB07c83c1A9344 on BSC) — logic bugs, reentrancy, privilege escalation

3. Out of Scope

• Social engineering or phishing attacks
• Denial of Service (DoS/DDoS) attacks
• Vulnerabilities in third-party services (Cloudflare, BSC infrastructure)
• Previously known or publicly disclosed vulnerabilities
• Automated scanning without prior permission

4. Severity & Rewards

5. Rules

• No public disclosure before patch (90-day coordinated disclosure window)
• No accessing, modifying, or deleting user data beyond minimal proof of concept
• No disruption of production services
• Good faith effort to avoid privacy violations

6. How to Report

Email: [email protected]
Subject line: Security Disclosure: [Brief Description]

Include in your report:

• Vulnerability type and affected component
• Step-by-step reproduction instructions
• Proof of concept (screenshots, code, or video)
• Potential impact assessment

7. Response Timeline

• Acknowledgement: Within 48 hours
• Triage and assessment: Within 7 business days
• Fix timeline: Based on severity (Critical: expedited, others: standard release cycle)
• Public disclosure: 90 days after patch, coordinated with reporter

8. Hall of Fame

We thank the following researchers for responsible disclosures: (No entries yet — be the first!)

Last updated: March 16, 2026