Bron never holds or controls user private keys, funds, or assets. All transactions are user-initiated and executed directly with third-party smart-contract protocols. Swap and staking functions are performed via independent third-party APIs. Bron only provides technical access and does not pool, intermediate, or custody user assets.
Reward Calculation
Rewards are calculated based on the CVSS v4.0 Base score. Use the official calculator: https://www.first.org/cvss/calculator/4-0
Every accepted bounty submission entitles the researcher to a non-transferable Bron NFT in addition to the monetary reward listed below. The NFT grants a complimentary Basic tier subscription for 2026 (or an upgrade to the next tier if Basic is already active, capped at Enterprise). To receive any reward, a Bron wallet is required — bounty payments are distributed in stablecoins to the researcher's Bron wallet address.
| Severity Level | CVSS v4.0 Score | Reward Range (USD) |
|---|---|---|
| Low | 0.1 — 3.9 | $5 — $50 |
| Medium | 4.0 — 6.9 | $50 — $1,500 |
| High | 7.0 — 8.9 | $1,500 — $5,000 |
| Critical | 9.0 — 9.4 | $5,000 — $10,000 |
| Exceptional | 9.5 — 10.0 | more than $10,000 |
If the PoC demonstrates direct financial impact, mass PII leakage, or full account takeover with access to funds, our security team may apply an increased reward within the specified ranges.
Remediation Bonus: Reports including detailed remediation recommendations with code examples or specific mitigation strategies may receive up to 10% bonus reward.
All bounty payments are made in USD-denominated stablecoins to the researcher's Bron wallet address and are subject to sanctions screening and anti-money-laundering controls consistent with Bron's compliance policy. Rewards cannot be paid to individuals or entities on applicable sanctions lists.
Application Overview
Bron Desktop is an MPC (Multi-Party Computation) crypto-wallet application designed for both individual users and corporate entities requiring multi-signature workflows. The application enables secure key management through distributed MPC shards, with each party unable to independently authorize critical operations such as fund withdrawals.
Descriptions below are provided solely to define the testing scope. They do not constitute marketing of financial products or an offer of investment in any token or protocol.
Built on the Wails framework (Go + WebView), the application combines backend security with modern React-based UI. The wallet supports biometric authentication, password protection, and hardware-backed key storage through OS-level security mechanisms (TPM for Windows, Keychain for macOS).
Supported Platforms:
- Windows: Windows 10 and 11
- macOS: ARM-based M-series processors only
Technical Stack
- Framework: Wails (Go-based Electron alternative)
- Frontend: React, TypeScript, JavaScript
- Backend: Go
- WebView: Embedded browser engine for UI rendering
- Communication Protocols:
- gRPC — MPC coordinator communication
- REST API — Backend services interaction
- Key Storage:
- Windows: TPM (Trusted Platform Module)
- macOS: Keychain
Critical Components in Scope
- MPC Protocol Implementation: All aspects of MPC shard generation, storage, and usage
- Local Storage Security: Encrypted shard storage on disk, key derivation from TPM/Keychain
- Update Mechanism: Auto-update functionality and version verification
- Deep Link Handling: Registered deep link processing and validation (e.g.,
bron://URLs) - WebView Isolation: Sandboxing and escape prevention from embedded browser to OS
- Anti-debugging Mechanisms: Protection against runtime analysis and tampering
- Authentication Systems: Biometric authentication, password validation, session management
Impacts in Scope
The following impact scenarios are considered critical vulnerabilities and are within the scope of our Bug Bounty program. We prioritize zero-click and one-click attacks:
Critical
- MPC Shard Theft: Unauthorized access to or exfiltration of MPC shards from local storage or memory
- Private Key / Seed Phrase Exposure: Extraction of cryptographic secrets through any means
- Remote Code Execution (RCE): Arbitrary code execution on the host system
- Privilege Escalation: Gaining elevated system privileges (admin/root) from application context
- WebView Escape: Breaking out of the WebView sandbox to execute code on the host OS
- Deep Link Exploits: One-click attacks via malicious deep links (e.g.,
bron://xss-payload) leading to XSS, code execution, or fund theft
High
- Authentication Bypass: Bypassing biometric, password, or multi-factor authentication
- Update Mechanism Exploits: Compromising the auto-update process to deliver malicious payloads
- Stored XSS in WebView: Persistent XSS leading to session hijacking or unauthorized operations
- TPM/Keychain Bypass: Circumventing OS-level key storage protections
- MPC Coordinator MITM: Intercepting or manipulating gRPC communication with MPC coordinator
Medium
- Sensitive Data Exposure: Leaking tokens, credentials, or transaction data through logs or temporary files
- Anti-debugging Bypass: Circumventing protection mechanisms to enable runtime analysis (only if it leads to further exploitation)
- Session Management Issues: Session fixation, concurrent session abuse, or improper logout
- Reflected XSS: Cross-site scripting requiring user interaction but leading to fund access
Low
- Information Disclosure: Non-sensitive information leaks (software version, diagnostic data)
- Logging Issues: Excessive logging without exposure of critical secrets
We are particularly interested in zero-click attacks (requiring no user interaction) and one-click attacks (requiring minimal user interaction such as clicking a malicious deep link). These represent the highest risk to our users and will receive premium rewards.
Out of Scope — Desktop Application Specific
For general exclusions applicable to all testing scopes, see the Policy page. The following are Desktop-specific exclusions:
Desktop-Specific Exclusions
- Performance issues: Slow rendering, high CPU/memory usage, or optimization concerns
- Memory dump attacks without demonstration: Simply stating that process memory can be dumped is not sufficient. A working PoC demonstrating MPC shard extraction with mitigation recommendations is required
- Backend API vulnerabilities: These should be reported under Web & API scope, not Desktop scope
While we acknowledge that process memory dumping is technically possible, reports focusing solely on this attack vector without a working PoC and mitigation recommendations will not be accepted. We have implemented anti-debugging and memory protection mechanisms. Demonstrating actual shard extraction with analysis of our protections is required for acceptance.