Instruction: Everything underneath the `*-s.a.exodus.io` is generally considered our staging environment and is okay/safe for performing simple/basic attack vectors against our wallet and our backends. Add `-s` to any asset/service name to hit our staging environment, for example bitcoin-s.a.exodus.io.
**KNOWN ISSUES**
1. Please do not re-submit reports disclosing XSS attacks on outdated openapi/swaggerhub version embedded in the various open source blockchain APIs that we host. This is a known issue, posting here for clarity to prevent wasted cycles on your end and ours.
1. API keys that are hardcoded in our wallet involving 3rd party blockchain APIs (ex. bitcoin, tezos, waves etc) are similarly a known/non issue. These are effectively public APIs and no changes will be made to these endpoints.
Integrity requirements: medium
Max severity: high
Asset identifier: *.exodus.com
Asset type: URL
Availability requirement: medium
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is basically a marketing site while our product API is still pointing to `*.exodus.io`, Some of `exodus.io` subdomains should be redirected to `exodus.com` such as `www.exodus.io` --> `www.exodus.com`
Integrity requirements: low
Max severity: high
Asset identifier: *.exodus.io
Asset type: URL
Availability requirement: medium
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Any domains or subdomains underneath exodus.io are considered our public "face" of our company, including our website, subdomains, download links, etc. Please review our policy for things that are considered in-scope and will result in bounties.
Instruction: Desktop Download Link: [Exodus Crypto Wallet](https://exodus.io/download)
This is the official Exodus Crypto Wallet for the Desktop (Mac/Win/Linux) which itself stores and manages a user's cryptocurrency. This has much higher Environmental Score and potential attack vectors especially due to its desktop-computer nature.
**NOTE:** Please make sure to read our Program Policy, as certain attack vectors are considered out of scope (eg: OS-related attacks).
Integrity requirements:
Max severity: critical
Asset identifier: exodus-movement.exodus
Asset type: APPLE_STORE_APP_ID
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: App Store: [Exodus Crypto Wallet](https://apps.apple.com/us/app/exodus-crypto-wallet/id1414384820)
This is the official Exodus Crypto Wallet, which itself stores and manages a user's cryptocurrency. This has much higher Environmental Score and potential attack vectors.
The most critical thing we want to help ensure is that our users are never vulnerable to getting their money/wallet stolen, and that users can always use their wallet to view/manage/exchange crypto.
**NOTE:** Please make sure to read our Program Policy, as certain attack vectors are considered out of scope (eg: OS-related attacks).
Integrity requirements: high
Max severity: critical
Asset identifier: exodusmovement.exodus
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Google Play Store: [Exodus Crypto Wallet](https://play.google.com/store/apps/details?id=exodusmovement.exodus&hl=en)
This is the official Exodus Crypto Wallet, which itself stores and manages a user's cryptocurrency. This has much higher Environmental Score and potential attack vectors.
The most critical thing we want to help ensure is that our users are never vulnerable to getting their money/wallet stolen, and that users can always use their wallet to view/manage/exchange crypto.
**NOTE:** Please make sure to read our Program Policy, as certain attack vectors are considered out of scope (eg: OS-related attacks).
