Dear Global Biconomy Users,
To ensure the security, stability, and protection of user assets on the Biconomy platform, we have established the Biconomy External Threat Intelligence Handling Standards to ensure all security-related intelligence is promptly addressed and professionally managed. Users, researchers, and security professionals are encouraged to carefully read the following guidelines and strictly adhere to the relevant regulations.
Scope of Application
This process applies to all external threat intelligence received by the Biconomy Security Emergency Response Center (BSRC) (support@biconomy.com), including but not limited to platform vulnerabilities, attack activities, and potential security risks.
Basic Principles
1. Biconomy prioritizes platform security and commits to following up, analyzing, fixing, and promptly responding to all reported security issues.
2. We support responsible vulnerability disclosure and reward researchers who uphold white-hat ethics, protect user interests, and help improve Biconomy’s security quality.
3. Biconomy strictly condemns any misuse of vulnerability testing for destructive purposes, including but not limited to:
• Unauthorized access to user privacy or digital assets
• Hacking into platform systems
• Exploiting or disseminating vulnerabilities for malicious purposes
4. We oppose any attempts to extort, blackmail, or attack competitors using security vulnerabilities and will take legal action to hold violators accountable.
5. Security management requires collaboration, and we encourage cooperation with enterprises, security firms, and research institutions to promote a stable Web3 security ecosystem.
Threat Intelligence Reporting & Handling Process
1. Reporting Stage
Threat intelligence reporters can submit security intelligence via Biconomy’s Threat Intelligence Reporting Email (support@biconomy.com). Please provide detailed information, including but not limited to:
• Vulnerability Description
• Attack Methods
• Impact Scope
• Proof of Concept (PoC) Code
• Possible Fix Suggestions
2. Handling Stage
• Within 1 business day, the Biconomy Security Emergency Response Center (BSRC) will acknowledge receipt and start the evaluation process (Status: Under Review).
• Within 3 business days, BSRC will validate the vulnerability, assess the risk, and decide on a resolution plan (Status: Confirmed/Ignored).
• If necessary, Biconomy may communicate with the reporter for confirmation, and we encourage active cooperation from the reporter.
3. Fixing Stage
• Business departments will work on fixing the vulnerability and releasing security updates (Status: Fixed).
• Fix timelines depend on the severity of the issue:
• Critical/High-risk vulnerabilities: Fixed within 24 hours
• Medium-risk vulnerabilities: Fixed within 3 business days
• Low-risk vulnerabilities: Fixed within 7 business days
• Client-side security issues: Subject to release cycles, fix time varies.
• The threat intelligence reporter will verify whether the issue has been resolved (Status: Verified/Dispute Raised).
4. Completion Stage
• During the first week of each month, Biconomy will publish a security bulletin summarizing the previous month’s reports, thanking contributors, and listing resolved issues.
• Critical vulnerabilities will be addressed in a dedicated security announcement to inform users about necessary precautions.
• Contributors will earn security points, which can be redeemed for rewards (e.g., security tokens, cash incentives, etc.).
• Periodic reward programs and offline security exchange events will be organized.
Threat Intelligence Scoring Criteria
Biconomy prioritizes vulnerabilities and security intelligence that impact its business operations. The scoring criteria are as follows:
5. Business Vulnerability Scoring
| Vulnerability Level | Score Range | Reward (Security Tokens) | Vulnerability Examples |
| Critical | 9月10日 | 1080-1200 | Server privilege escalation, remote code execution, SQL injection, authentication bypass, etc. |
| High | 6月8日 | 360-480 | Theft of user identity information, access to sensitive admin panels, XSS vulnerabilities, kernel code execution, etc. |
| Medium | 3月5日 | 45-75 | Reflected XSS, CSRF, application-layer DoS, general information leakage, etc. |
| Low | 1月2日 | 9月18日 | Low-impact XSS, path disclosure, redirect vulnerabilities, etc. |
| None | 0 | 0 | Vulnerabilities with no practical exploitability, known vulnerabilities, invalid reports from automated scanners, etc. |
Dispute Resolution
If a reporter disagrees with:
• Vulnerability assessment
• Scoring criteria
• Reward amount
They may contact the Biconomy Security Emergency Response Center (BSRC) for discussion.
Biconomy prioritizes contributor rights, and in case of disputes, third-party security experts may be consulted for arbitration.
Frequently Asked Questions (FAQ)
Q: Will Biconomy publicly disclose vulnerability details?
A: To protect user security, Biconomy will not disclose any vulnerability details before a fix is implemented.
Once fixed, contributors may publish their own vulnerability reports, and Biconomy encourages technical sharing. However, pre-disclosure before a fix is strictly prohibited.
Q: Will Biconomy ignore a vulnerability and secretly fix it?
A: Absolutely not.
• All ignored vulnerabilities will be accompanied by an explanation (e.g., low impact, false positives, etc.).
• If the issue results from a business logic change, the product team will decide whether to fix it, but no security problem will be concealed.
Final Terms
• This policy applies to all security issue handling on the Biconomy platform.
• Biconomy reserves the right to modify this policy at any time, with the latest version announced on the official website.
• By continuing to submit intelligence, you automatically agree to the latest version of this policy.
Reminder: Biconomy welcomes responsible security research but strictly prohibits malicious exploitation of vulnerabilities!