Bug Bounty Program

Overview

Boom Technologies (UK) Ltd (“Boom”) is pleased to announce its Bug Bounty program (the ”Program”) to incentivise responsible disclosure of software and security vulnerabilities (“Bug”).

Reward

Boom will offer a reward of up to €100,000 in Boomcoins (“BMC”) per disclosure.

Scope

The scope of this Program is focused on medium to high and critical defects across Boom’s web2 technology infrastructure and web3 smart contracts.

The following are not within the scope of the Program:

  • Bugs in third party contract or platform that interacts with Boom
  • Vulnerabilities already reported and/or discovered in apps/contracts by third parties
  • Any already-disclosed bugs

Vulnerabilities contingent upon the occurrence of any of the following also are outside the scope of this Program:

  • DDOS attacks
  • Spamming
  • Phishing
  • Compromise or misuse of third party systems or services.

Term

This program is for an indefinite term.

Rewards

Rewards will be allocated based on the severity of the bug disclosed and will be evaluated and rewarded at the discretion of the Boom Technologies (UK) Ltd team.

Showstopper bugs that could lead to any loss of funds or compromise user data, will be rewarded at the maximum grant of €100,000 in Boomcoins (BMC). Lower severity bugs will be rewarded at the discretion of the Boom team.

Disclosure

Any vulnerability or bug discovered must be reported only to the Boom Security Incident Response Team (BSIRT) at the following email: bsirt@boom.market.

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Boom has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

  • The conditions on which reproducing the bug is contingent.
  • The steps needed to reproduce the bug or, preferably, a proof of concept.
  • The potential implications of the vulnerability being abused.

Anyone who reports a zero-day vulnerability that results in a change to the code or configuration and who keeps such vulnerability confidential until it has been resolved by our engineers, will be recognised publicly for their contribution if they so choose to.

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously unreported, non-public vulnerability that is within the scope of this Program.
  • Be the first to disclose the unique vulnerability to bsirt@boom.market, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24 hour period, rewards will be split at the discretion of Boom Technologies (UK) Ltd.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not engage in any unlawful conduct when disclosing the bug to bsirt@boom.market, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Boom.
  • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Be at least 16 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
  • Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.
  • Comply with all the eligibility requirements of the Program.

Miscellaneous

By submitting your report, you grant Boom Technologies (UK) Ltd any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at the sole discretion of Boom Technologies (UK) Ltd

The terms and conditions of this Program may be altered at any time without notice.