Introduction

The Block’s security policies and practices seek to ensure compliance with all applicable laws, regulations, and our contractual obligations. Our policies and practices also seek to ensure the confidentiality and integrity of our data as well as the availability of the services we provide.

Policies

The Block’s security policies apply to all employee (full or part time,) interns, and contractors. All policies are approved by leadership committee and are scheduled to be reviewed yearly. We have a variety of policies in place to cover topics such as change management, third party vendors, acceptable use, and risk management.

Authentication and authorization

All user accounts require both complex passwords (minimum of 10 characters) and MFA.

Access to resources is based on the principle of least privilege and is granted through a change management process. Access that is not needed long term is reversed.

Trainings

All new hires receive an initial security training. All employees receive monthly security micro-trainings on rotating topics. Educational phishing simulations are run on a monthly basis. Other trainings are held on a rolling basis.

Environments

Testing and production environments are logically separated. Corporate users have no access to testing or production. Each boundary is protected by a firewall that limits the ports and services to those required. Access to various environments is based on business need.

Change management

All changes to production and sensitive access grants go through a change management process. Separation of duties is enforced during change management process. All requests are reviewed regardless of approval status. An emergency process for after-hour urgent changes is also in place.

Email security

An email firewall is in place to scan for malware in attachments and block suspicious emails. Email server will attempt to negotiate encryption if sender’s server also supports encryption. Email is equipped with a “report phishing” button that allows employees to alert Security Team to any phishing emails that made it past firewall.

Vulnerability scanning

Production infrastructure is scanned on a monthly basis. Identified vulnerabilities are addressed based on criticality level.

Encryption

All data of confidential or above is encrypted at rest (AES-256) and in transit (TLS 1.2 or above.)

Vendor management

Vendors that store, process, or transmit confidential or above data receive a risk evaluation by Security Team.

Vendor security posture, terms of service, and privacy practices are evaluated.

Bug bounty rules of engagement

The Block welcomes security researchers who are able to help us improve our security posture. Please read this page fully before engaging in any testing to ensure you remain within our acceptable guidelines for such testing as violation of these rules of engagement will result in an IP block. The Block reserves the right to withhold payment if the guidelines herein are not followed.

What is allowed

Scoped domains

These are the only domains that should be tested. No subdomains or other domains belonging to The Block should be tested.

• https://www.theblock.co
• https://www.theblock.pro

Types of vulnerabilities in scope

The scope of this bug bounty program is for bugs that impact our security posture. Non-security bugs are not eligible for payment.

• Server-side flaws
• Authentication flaws
• Cross site scripting
• Cross site request forgery
• Directory traversal
• Misconfigurations or out of date software
• Insecure cipher suites (unless previously reported to us)

What is not allowed

• Privacy violations, performance degradation, modification of data, and/or destruction of data are all strictly prohibited.
• Actually accessing our internal systems. If you have found a vulnerability, please submit it and refrain from exploiting it.
• Any repeated network requests such as to test DDoS or rate limiting.
• Social engineering of any kind. This includes phishing attempts, vishing, smishing, etc.
• Testing from any countries on the US sanctions list. We are unable to pay anyone operating out of one of these countries and do not consent to testing from these locations.
• Vulnerability disclosure to a third party. Please limit your disclosure to us.
• Non-scoped domains or sub-domains. Please restrict your activities to scoped domain listed above.

What we do not pay for

Bugs that are not security related.

Vulnerabilities that are not on the scoped websites. (For example, vulnerabilities on our Facebook page.)

Vulnerabilities in third parties we use.

In cases where one underlying issue causes multiple vulnerabilities, a reward is issued for the underlying issue, not the individual vulnerabilities.

Previously known vulnerabilities (found by us or found by another researcher) or vulnerabilities that we deem “informative.” These are vulnerabilities that we’re aware of and don’t deem a security threat to us.

Vulnerabilities that would require our employees’ interaction (e.g., installing software, navigating to a site, clicking on a malicious link, etc.)

Vulnerabilities that are only exploitable by us such as tab nabbing and clickjacking.

Any bug, misconfiguration, or vulnerability that we choose not to address.

WAF bypass on ephemeral dev/testing IPs.

Nuisance exploits (such as requesting multiple password resets) that are not a security risk. 

Missing permissions policies - we have set the ones we want to be set.

Cookies that function as expected (such as when a cookie stores the referral URL.)

When we pay

We will confirm receipt of a complete report within 1 business day. We then request 5 business days for us to validate the vulnerability. Payment will be made once vulnerability is closed and subsequently confirmed by the reporter or within 30 days, whichever comes first.

How much we pay

Our pay range is between $50 and  $1,000 depending upon how severely we feel we are impacted by the vulnerability. The more severe the vulnerability, the higher the payment.

Once we’ve had time to review your submission, we will respond to you with the amount award, if applicable. Please submit an invoice to us for the specified amount. Payments are issued in USD (US dollars) via bank to bank transfer.

Requirements

• The reported vulnerability must be reproducible. Steps to do so must be clear and complete.
• A report should include a single vulnerability with the vulnerability name in subject of the email.
• Send an email to [email protected] and please include
  • Summary of issue, description, and proposed severity
  • Steps to reproduce the issue
  • Browser info if applicable
  • Affected URLs
  • Any associated console logs and screenshots
• Vulnerability scanning should be limited to a maximum of 5 requests per second. Overly aggressive scans will result in an IP block.

• You will be asked to provide us with your full name, your country of residence, and a short summary of your security credentials.

Legal notice

We are unable to issue rewards to individuals who are on sanctions lists, or who reside in countries (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local laws.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to people employed by The Block or The Block Partner companies who develop software covered by this program.

Last updated: August 4, 2023