# SCAN — HackerOne (Polygon Technology) — 2026-02-15

## Targets Added
- https://github.com/0xPolygon/proof-generation-api
- https://github.com/0xPolygon/auto-claim-service
- https://github.com/0xPolygon/chain-indexer-framework
- https://github.com/0xPolygon/lxly.js
- https://github.com/0xPolygon/static

## Automated Scans

### semgrep (p/security-audit + p/owasp-top-ten)

proof-generation-api
- 1 finding: Dockerfile missing non-root USER

auto-claim-service
- 1 finding: Dockerfile missing non-root USER

chain-indexer-framework
- 0 findings

lxly.js
- 0 findings

static
- 8 findings
- Notable:
  - `.github/workflows/build_and_deploy.yml`: run-shell injection pattern (untrusted `${{ github.* }}` interpolation in `run:`)
  - `Dockerfile`: missing non-root USER
  - `nginx.conf`: header-redefinition warnings (may impact security headers if assumed set)

### trufflehog (filesystem, --no-verification)
- All 5 repos: 0 secrets detected
- Note: tool logs "error cleaning temporary artifacts" in this sandbox (PID listing restriction), but scan completes.

## Next Manual Checks (High ROI)

static
- Validate workflow trigger type and permission context (watch for `pull_request_target`, write tokens, and whether secrets are exposed to fork PRs).
- Check nginx config: verify actual response headers include expected CSP/HSTS/XFO/etc.

proof-generation-api / auto-claim-service
- Find and review any externally reachable HTTP endpoints; check authn/authz, request smuggling, SSRF, and unsafe deserialization.

chain-indexer-framework / lxly.js
- Confirm threat model (library vs service). If library-only, de-prioritize.