We are now launching our Bug Bounty program through the CEX.IO platform to continue to improve the security of our products and services.
The Computer Fraud and Abuse Act:
CEX.IO undertakes not to take legal action for any security research conducted in accordance with all Bug Bounty Program policies, or for unintentional violations if the investigator is in full compliance with these policies.
We will not make a claim against researchers for circumventing the technological measures we have used to protect the applications under the Bug Bounty program
Submit a properly compiled report before engaging in any behavior that may violate or not be addressed by this policy.
This report should contain a brief description of your intended behavior so that we can determine whether it is in compliance with the Bug Bounty Program policy
Any information you receive or collect about us, our affiliates or any of our users, employees in connection with the Bug Bounty Program (“Confidential Information”) must be treated confidentially and used only in connection with the Bug Bounty Program. program.
You may not use, disclose or distribute such Confidential Information, including without limitation information about your Submission, without our prior written consent. To protect the confidential information, you must take all reasonable precautions necessary to protect such information, and you must keep the confidential information, including documents and copies thereof, containing confidential information in a manner that prevents unauthorized access by third parties. is prevented.
You have to send an email to the email address BugBountyProgram@cex.io with the relevant subject to report vulnerability information to us.
CEX.IO does not give permission / authorization (implicit or explicit) to any individual or group of individuals to (1) extract personal information or content from CEX.IO users or disclose this information on the open, public Internet without CEX. IO’s permission or (2) modify or corrupt data from CEX.IO to extract and disclose data from CEX.IO.
All confidential information is the sole property of CEX.IO (or its licensors) and the unauthorized disclosure or use of such confidential information could cause irreparable damage and substantial injury, the extent of which is difficult to determine. Accordingly, we have the right to bring an immediate court order imposing any violation of these provisions, as well as the right to pursue all other rights and remedies available by law or in equity for such violation, including indemnification. to strive.
If you do not protect the confidential information specified herein, and in the event that it is found that the confidential information has been disclosed and / or misused, including, but not limited to, posting publicly (including on social media) material containing confidential information, content that is false and / or compromise the contains goodwill, in addition to the damage you will owe a fine of USD 100,000 (one hundred thousand).
Notwithstanding the end of the term of your submission or the closing of the matter related to the determination and payment of a fee, the provisions regarding Confidential Information will remain in effect for ten (10) years after the Confidential Information is received and, with with respect to confidential information that constitutes a trade secret, as long as such confidential information remains a trade secret.
- Do not access the personal data of customers or employees. If you accidentally access any of these, stop testing and submit the vulnerability.
- If you access a non-public application or login credentials, stop testing and report the problem immediately.
- Do not disrupt production systems and data during security testing.
- Send an email to the address BugBountyProgram@cex.io with the subject in question to report vulnerability information to us.
- Only collect the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screenshots, network requests, reproduction steps, or similar to the email address BugBountyProgram@cex.io (do not use third party file sharing sites).
- When investigating a vulnerability, focus only on your own account and do not attempt that
- You are not permitted to exploit a security vulnerability in any way other than as described in this policy.
- Only the first verified vulnerability report can receive the reward.
To streamline our intake process, we ask that submissions include:
- Vulnerability types and description of the vulnerability
- Steps to reproduce the vulnerability
- Proof of use (eg. Any necessary screenshots, screenshots, network requests,)
- Chance of vulnerability exploitation
- List of URLs and affected payload parameters
- Other additional payloads, evidence of vulnerability, fixes
- Browser version, operating system and / or app version used for testing
Note: Failure to comply with these requirements or provide deliberately false information may result in ineligibility for a bounty and / or removal from the program.
The following issues are beyond the scope of our vulnerability reward program:
|Denial of Service (DoS / DDoS) vulnerabilities.|
|Cross-site Request Forgery (CSRF) with minimal security implications.|
|Missing cookie flags on non-security sensitive cookies.|
|UI and UX bugs.|
|Open ports without an accompanying proof-of-concept showing vulnerability.|
|Disclosure of the robots.txt file|
|Email spoofing (wrong SPF configurations)|
|Attacks that require physical access to a user’s device|
|Social engineering of CEX.IO personnel or contractors|
If you have found a security issue directly affecting a cryptocurrency and / or its components (eg Blockchain, node, wallet), make sure to report it directly to the appropriate project team.
By submitting an entry, you give us the right to use your entry for any purpose.
We can change the Program Terms at any time or cancel the Bug Bounty Program.
CEX.IO may, in its sole discretion, provide rewards to eligible reporters of Qualified Vulnerabilities.
|Remote code execution||Command injection||$ 20,160||$ 10,080|
|Injection||SQLi||$ 12,460||$ 6,230|
|Broken authentication and session management||Activities on behalf of a user||$ 7,700||$ 3,850|
|Administrative functionality||Access to internal Twitter applications||$ 12,460||$ 6,230|
|Account takeover||OAuth Vulnerabilities||$ 7,700||$ 3,850|
|Other valid vulnerabilities||Information leakage, XSS||$ 280- $ 2,940||$ 140- $ 1,470|