Bron never holds or controls user private keys, funds, or assets. All transactions are user-initiated and executed directly with third-party smart-contract protocols. Swap and staking functions are performed via independent third-party APIs. Bron only provides technical access and does not pool, intermediate, or custody user assets.
Reward Calculation
Rewards are calculated based on the CVSS v4.0 Base score. Use the official calculator: https://www.first.org/cvss/calculator/4-0
Every accepted bounty submission entitles the researcher to a non-transferable Bron NFT in addition to the monetary reward listed below. The NFT grants a complimentary Basic tier subscription for 2026 (or an upgrade to the next tier if Basic is already active, capped at Enterprise). To receive any reward, a Bron wallet is required — bounty payments are distributed in stablecoins to the researcher's Bron wallet address.
| Severity Level | CVSS v4.0 Score | Reward Range (USD) |
|---|---|---|
| Low | 0.1 — 3.9 | $50 — $250 |
| Medium | 4.0 — 6.9 | $250 — $2,500 |
| High | 7.0 — 8.9 | $2,500 — $5,000 |
| Critical | 9.0 — 9.4 | $5,000 — $10,000 |
| Exceptional | 9.5 — 10.0 | more than $10,000 |
If the PoC demonstrates direct financial impact, mass PII leakage, or full account takeover with access to funds, our security team may apply an increased reward within the specified ranges.
All bounty payments are made in USD-denominated stablecoins to the researcher's Bron wallet address and are subject to sanctions screening and anti-money-laundering controls consistent with Bron's compliance policy. Rewards cannot be paid to individuals or entities on applicable sanctions lists.
Application Overview
Bron Web & API is an MPC crypto-wallet platform providing comprehensive digital asset management through a web interface. The platform includes staking, liquidity locking, native token purchases with tier-based benefits (from standard tier to Founders Club), Canton Network integration, and Intent-based swap functionality. Organizations can create workspaces with role-based access control and multi-signature transaction approval workflows.
Descriptions below are provided solely to define the testing scope. They do not constitute marketing of financial products or an offer of investment in any token or protocol.
Key Features:
- Multi-chain wallet with transaction history and balance tracking
- Token staking with automated reward distribution
- Token-based or subscription-based membership tiers with enhanced features
- Multi-member management with role-based permissions and multi-signature approvals
- Cross-chain token swaps through intent-based protocol
- Interoperability with Canton blockchain
Domains in Scope: *.bron.org, *.bron.xyz (all subdomains)
Impacts in Scope
The following impact scenarios are considered critical vulnerabilities and are within the scope of our Bug Bounty program:
Critical
- Transaction Manipulation: Unauthorized transaction creation, modification, or execution on behalf of another user — HIGHEST PRIORITY
- Balance Manipulation: Unauthorized viewing or modification of user balances and wallet information
- Remote Code Execution (RCE): Arbitrary code execution on backend servers
- Authentication Bypass: Circumventing passkey authentication or 2FA mechanisms
- SQL Injection: Database injection attacks leading to data access or manipulation
High
- Account Takeover: Full account compromise without user credentials
- Mass Data Leakage: Unauthorized access to multiple users' data (balances, transaction history, PII)
- Discretionary Access Model Bypass: Circumventing RBAC or organization permission boundaries
- Reflected XSS with Impact: XSS requiring user interaction but leading to account compromise or fund access
- Privilege Escalation: Gaining higher-level roles or permissions within organization workspace
- Multi-signature Bypass: Executing transactions without required number of approvals
Medium
- Business Logic Flaws: Manipulation of tier system, staking calculations, or reward distribution
- CSRF on Sensitive Operations: Cross-site request forgery on withdrawal, transfer, or settings modification
- Information Disclosure: Leaking sensitive user data (IP addresses, user agents, session tokens)
- Session Management Issues: Session fixation, inadequate session expiration, or concurrent session abuse
Low
- Rate Limiting Issues: Rate limit bypass without demonstrable security impact
- Minor Information Disclosure: Non-sensitive information leaks (software versions, API structure)
All XSS vulnerabilities (Stored and Reflected) are treated with elevated severity because the web interface is rendered in the Desktop application's WebView. Successful XSS can potentially enable attackers to invoke Wails framework methods to interact with the host OS, escalating to RCE or MPC shard theft.
This architectural consideration means even "typical medium-impact" XSS on web may escalate to Critical when viewed in Desktop context.