BitForex is one of the top cryptocurrency exchanges dedicated to providing users with safe, professional, and convenient digital currency trading services. BitForex is leading the trend of the cryptocurrency exchange industry by effectively providing a wide range of trading tools including token trading, margin trading, and derivatives constantly adapting to new market needs with the continuous introduction of new features.
The company is headquartered in Hong Kong, registered in the Republic of Seychelles in 2017, independent operating teams have located in Germany, South Korea, Singapore, Russia, and more.
Until October 2021, BitForex serves over 5 million users from more than 200 countries and regions. The maximum daily active users have reached 160,000.
- All bug reports must be submitted to [email protected]
- All bug reports are rated by BitForex and paid out based on vulnerability severity.
- To receive bug bounty payouts, you must register a BitForex account and bind the email you used to report bugs. Please don't forget to include your BitForex account UID in the reports. The rewards will proceed in USDT and be distributed to the account you provided.
- Asking for payout in exchange for vulnerability details will result in immediate ineligibility of bounty payments.
- Please provide as detailed a report as possible so that we can reproduce your findings. Otherwise, maybe you will miss rewards.
- For combined exploitable vulnerabilities, we will only pay for the highest level of vulnerabilities. For the same vulnerabilities, we will only pay for the first one that includes enough details in the report.
- BitForex reserves the right to cancel or amend the bug bounty rules at our sole discretion.
Out of Scope
Vulnerabilities found in out-of-scope resources are unlikely to be rewarded unless they present a serious business risk (Assessed by BitForex).
- Best practices concerns
- Self-XSS & HTML injection
- Unreproducible vulnerabilities
- User enumeration vulnerability
- Version leak issues such as Nginx, etc.
- Vulnerabilities in third-party applications
- Vulnerabilities requiring victim interaction
- CSRF issues for non-sensitive operations
- Web pages lack CSP and SRI security policies
- Some functional bugs that do not pose a security risk issue
- Social engineering, phishing, physical attack, email spoofing, or other fraud activities
- Some problems such as changing the size of the image and causing slow requests, etc.
- Recently (less than 30 days) disclosed 0day vulnerabilities, for example, the log4j2 vulnerability
- Vulnerabilities that require any third-party applications (including malware) to be installed on the victim’s device
- A separate issue about Android app android:allowBackup=”true” , and the service is denied locally, etc. (unless in-depth use)
Severity & Rewards
|Critical ||1500 - 2500 USDT|
|High ||500 - 1000 USDT|
|Medium ||200 - 300 USDT|
|Low ||50 - 100 USDT|
- 22 closed reports in the last half-year
- 7000 USDT payout in the last half-year
A critical vulnerability refers to the vulnerability that occurs in the core business system (the core control system, field control, business distribution system, fortress machine, and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.
It includes but is not limited to:
- Multiple devices access in the internal network;
- Gain core backend super administrator access, leak enterprise core data, and cause a severe impact;
- Smart contract overflow and conditional competition vulnerability.
- Gain system access (getshell, command execution, etc.).
- System SQL injection (backend vulnerability degradation, prioritization of package submission as appropriate).
- Gain unauthorized access to the sensitive information, including but not limited to the direct access to the management background by bypassing authentication, brute force attackable backend passwords, obtaining SSRF of sensitive information in the internal network, etc.
- Arbitrarily document reading.
- XXE vulnerability that can access any information.
- The unauthorized operation involves money, payment logic bypassing (need to be successfully utilized).
- Severe logical design defects and process defects. This includes but is not limited to any user login vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion.
- Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the critical pages. The storage XSS can access administrator authentication information and be successfully utilized.
- Leakage of a lot of source code.
- The permission control defects in the smart contract.
- The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc.
- General unauthorized operation. It includes but is not limited to modifying user data and performing user operations by bypassing restrictions.
- Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications.
- The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc., due to verification code logic defects.
- The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively.
- Low Vulnerability
- Local denial-of-service vulnerabilities. It includes but is not limited to the local client denial-of-service (parsing file formats, crashes generated by network protocols), problems caused by Android component permission exposure, general application access, etc.
- General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc.
- Reflective type XSS (including DOM XSS/Flash XSS).
- General CSRF.
- URL skip vulnerability.
- SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
- Other less harmful vulnerabilities cannot be proven dangerous (such as CORS vulnerability that cannot access sensitive information).
- No return value and no in-depth utilization of successful SSRF.
Network terminals and abnormal service access caused by the below behaviors will be handled in accordance with relevant laws and regulations:
- Without permission from BitForex, it is forbidden to disclose the details of any discovered vulnerabilities.
- It is forbidden to abuse Dos/DDoS vulnerabilities, social engineering attacks, spam, phishing attacks, etc.
- It is forbidden to use web/port automatic scanners and other behaviors that may cause many traffic requests.
- All vulnerability tests should use your own accounts. It is forbidden to obtain other user accounts in any form for testing/intrusion operations.
- Avoid possible impacts or restrictions including but not limited to the availability of business, products, architecture, etc.