1. Guidelines
We ask that all researchers:
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
• Use the identified communication channels to report vulnerability information to us
• Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Etherscan until we’ve resolve the issue.
• Provide us with at least 5-7 working days to investigate the issue and revert back to you

2. Additionally, if you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:
• Recognize your contribution on Etherscan.io (list below for the last 20 contributors)
• Reward you with a bounty (up to a maximum of $50 paid out per month):
- $10 in Ether if you identified a vulnerability that presented a severe risk *
- $5 in Ether if you identified a vulnerability that presented a moderate risk *
- $3 in Ether if you identified a vulnerability that presented a mild risk *
- $1 in Ether if there was in fact no vulnerability, but we still made a code or configuration change nonetheless
Researcher will provide us with an Ethereum address for the payout within 7 days after we have resolved the issue.
* vulnerability level will be determined at our discretion

3. Scope

4. Out of scope
• Findings derived primarily from social engineering (e.g. phishing, etc)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Spam or Social Engineering techniques, including SPF and DKIM issues
• Security bugs in third-party applications or services
• XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
• Login/Logout CSRF-XSS • https/ssl or server-info disclosure related issues
• Brute Forces attacks

5. How to Report a Security Vulnerability
• Description of the location and potential impact of the vulnerability
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
• Your name/handle and a link for recognition in our recognitaion Hall of Fame (twitter, reddit, facebook, hackerone, etc)
• Email us at [Bug Bounty Report]

Special thanks to the following researchers for helping us make Etherscan.io a better place

- Martin Abbatemarco - https://hackingmood.com
- Andrew Curtin - https://www.twitter.com/adcurtin
- Shivam Kamboj Dattana - https://www.twitter.com/Sechunt3r
- David Fiala - https://www.fiala.me/
- Raz0r of Positive.com
- Yaroslav Babin - https://positive.com
- Taha Smily - https://twitter.com/TahakhanTaha
- Ahsankhan
- Sai Naik - http://hackingmonks.net
- Anas Roubi
- Sumit Sahoo - https://www.sumitsahoo.com/
- Swaroop Yermalkar - @swaroopsy
- Mohd Aqeel Ahmed (Ciph3r00t) - https://www.facebook.com/ciph3r00t
- Muhamad Zeeshan - fb.com/zeeshan.1338
- Smit Gajra
- Shawar Khan - https://shawarkhan.com
- Taimoor Abid - https://www.facebook.com/T4YM.H4X0R
- Cristian Joseph D. Legacion - https://www.facebook.com/cj.legacion10
- Muhammad Zeeshan - https://hackerone.com/zee_shan
- Tayyab Qadir - https://www.facebook.com/tqMr.EditOr
- Arbin Godar - (www.arbingodar.com)
- Nirmal Thapa - (https://twitter.com/nirmal_4n_)
- Sami Drif - (https://www.facebook.com/SaMi.Chichirovo)
- Hasan Bilen - (https://www.facebook.com/profile.php?id=1818527281)
- Vrde - (https://twitter.com/vrde)