Kastle Browser Extension & Mobile Wallet for Kaspa Network
Introduction
At Kastle, security is our highest priority. We appreciate ethical hackers and security researchers who help protect our users and assets. This VDP outlines the scope, rules, and rewards for reporting vulnerabilities in Kastle's browser extension wallet.
We offer a variable bounty starting at USD 3,000+ for critical vulnerabilities that could expose seed phrases or private keys, leading to irreversible loss of funds.
Scope
This VDP covers the following assets:
Kastle Browser Extension Wallet
Kastle Mobile Wallet (iOS & Android)
Domains in scope:
*.kastle.cc
Direct interactions with wRPC endpoints
In-Scope Vulnerabilities
We are interested in vulnerabilities that meet the following criteria:
Critical Security Issues
Leakage of secret phrases, private keys, or passwords
Remote Code Execution (RCE) within the extension
(RCE is considered in scope only if an attacker can execute arbitrary code within the Kastle extension. RCE vulnerabilities related to browser sandbox escape or OS-level privilege escalation are out of scope.)
Theft of user funds or unauthorized transactions
Unauthorized access to wallets or accounts
Extraction of seed phrase or private key from storage
Compromise via IPC or deep link injection
Bypass of biometric/PIN protections
High-Impact Issues
Cross-Site Scripting (XSS) leading to account compromise
Cross-Context Data Leakage
MITM vulnerabilities in wallet communication
Authentication and session management flaws
Insecure handling of deep links and WebView injection
Bypass of lock screen protections
Insecure WebView injection
MITM against mobile RPC endpoints
Mobile-specific XSS/HTML injection if applicable
Medium-to-Low Risk Issues
CSRF on sensitive actions
Subdomain takeovers
Privilege escalation vulnerabilities
Rules & Guidelines
Responsible Disclosure
Report vulnerabilities privately to Kastle and avoid public disclosure until patched.
Do not access or modify real user data during testing.
Testing should not impact production accounts or assets.
Submission Requirements
Clear proof of concept (PoC)
Detailed reproduction steps
Impact assessment and mitigation suggestions
Device, OS, and app version for mobile issues
Screenshots or video demos
Exclusions (Out of Scope)
Clickjacking on non-sensitive pages
CSRF on unauthenticated forms
Self-XSS and phishing
Issues in outdated browsers (older than two releases)
Third-party library bugs
Attacks requiring a compromised victim device
Rate limiting or brute-force attacks on non-authentication endpoints
Missing HTTP security headers (unless a direct security impact is demonstrated)
Denial of Service (DoS) attacks
Vulnerabilities in third-party software and services (e.g., rusty-kaspa, general Kaspa RPC bugs)
URL redirections unless a security impact can be demonstrated
Social engineering (e.g., phishing, impersonation attacks)
Root/jailbreak detection bypasses (unless leads to compromise)
Store metadata manipulation (Google Play / App Store)
Keyboard overlays/tapjacking without wallet compromise
Bug Bounty Rewards
Bounty amounts are based on severity, exploitability, and report quality.
Severity
Example Vulnerabilities
Estimated Reward
Critical
Secret phrase leakage, private key exposure, RCE, full account takeover