DAO Proptech’s Bug Bounty Program

We take security seriously at DAO Proptech and are committed to protecting the security of our customer’s data and systems. We recognize that no system is perfect, and we value the expertise of the security research community in helping us identify and fix vulnerabilities before they can be exploited by attackers.

Our Bug Bounty program is designed to incentivize security researchers to report vulnerabilities that they find in our systems. We offer rewards for valid and unique vulnerabilities, and we work closely with researchers to remediate vulnerabilities as quickly as possible. We encourage all security researchers to participate in this program before disclosing them publicly. If you find a vulnerability in our systems, please report it to us so that we can fix it and protect our customers.

How to report?

• Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
• Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Scope

The scope of issues is limited to technical vulnerabilities in the DAO Proptech website or mobile apps. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of DAO Proptech through DoS attacks or spam. We also request you not to use vulnerability testing tools that generate a significant volume of traffic.

Below is the list of domains included in the bug bounty program

1. *.daoproptech.com
2. *.daoproptech.com.pk
3. *.daoproptech.pk

Rewards

We use CVSS to determine the severity of vulnerabilities and all payouts will be according to the determined CVSS score. Our bug bounty ranges from 15k-75k in PKR and critical outstanding reports with a clear demonstration of reproduction steps can be rewarded higher based on company discretion.

Below, you can find examples of vulnerabilities and their impacts grouped by our severity ranking. This is not an exhaustive list and it is designed to give you insight on how we rate vulnerabilities.

Critical

• Remote Code Execution (RCE) – able to execute arbitrary commands on a remote device
• SQL Injection – able to read Personally Identifiable Information (PII) or other sensitive data / full read/write access to a database
• Server-Side Request Forgery (SSRF) – able to pivot to internal application and/or access credentials (not blind)
• Information Disclosure – mass PII leaks including data such as names, emails, phone numbers, and addresses

High

• Information Disclosure – leaked credentials
• Subdomain Takeover – on a domain that sees heavy traffic or would be a convincing candidate for a phishing attack
• Cross-Site Request Forgery (CSRF) – leading to account takeover
• Account Takeover (ATO) – with no or minimal user interaction
• Insecure Direct Object Reference (IDOR) – read or write access to sensitive data or important fields that you do not have permission to
• SQL Injection – able to perform queries with a limited access user

Medium

• CSRF – able to modify important information (authenticated)
• ATO – required user interaction
• IDOR – write access to modify objects that you do not have permission to
• XSS – reflected/DOM XSS with access to cookies

Eligibility and Responsible Disclosure

Please submit your findings by emailing us at security@daoproptech.com. We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution will result in disqualification from the program.