CoinFLEX Bug Bounty Program

At CoinFLEX, security is of the utmost importance to us and our users. Hence, we wish to present to you the CoinFLEX Bug Bounty Program. The aim of this program is to more effectively engage with our community and supporters in reporting any bugs and vulnerabilities.

Sep 2020 Update – please read first.

Thank you to all our bug bounty reporters over the past year. You have done an amazing job in helping to secure Coinflex and its applications.

In fact you have done such a good job that the InfoSec department budget is running low! Well done!

Therefore,

We will not be making any further payments until the next financial year (2021). This obviously excludes serious and critical vulnerabilities which you should report immediately please.

We look forward to working with you further in 2021.

 

Responsible Disclosure Policy

CoinFLEX aims to keep its services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our services, we appreciate your help in disclosing it to us in a responsible manner.

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to CoinFLEX.

Bounty Program Rules

Contact email: [email protected]

Please provide detailed reports with reproducible steps.

If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

We have a testnet (Stage) environment at https://coinflex.com. If you believe a reproduction could potentially harm service of the platform, please do a reproduction on Stage.

Requirements

We require that researchers:

  • Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

  • Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

  • Perform research only within the scope.

  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

  • Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

  • If you fulfill these requirements, CoinFLEX will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)

  • Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.

  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.

To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the CoinFLEX program, please reach out to [email protected]

Focus Areas

We encourage researchers to focus their efforts in the following areas:

  • Cross Site Scripting (XSS)

  • Cross-Site Request Forgery (CSRF)

  • Brute force

  • Clickjacking

  • SQL Injection (SQLi)

  • Insecure storage

  • Authentication related issues

  • Authorization related issues

  • Data Exposure

  • Redirection attacks

  • Remote Code Execution

  • Business Logic

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

  • Mobile-specific API vulnerabilities

Excluded Submission Types

Vulnerability reports which do not include careful manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors or best practices without proof of exploitability – will be closed as Not Applicable.

The CoinFLEX Bug Bounty program excludes certain vulnerability classes as below:

  • Cookie valid after logout

  • Cookie valid after password change/reset

  • Cookie expiration

  • Cookie migration/sharing

  • Forgot password autologin

  • Autologin token reuse

  • Static content over HTTP

  • Vulnerabilities related to offline playback.

  • Free trials

  • Same Site Scripting

  • Physical Testing

  • Social Engineering

    • For example, attempts to steal cookies, fake login pages to collect credentials

  • Phishing

    • Denial of service attacks (Ddos)

    • Resource Exhaustion attacks

  • Issues related to rate limiting

  • Login or Forgot Password page brute force and account lockout not enforced

  • Services listening on port 80

  • Internal IP address disclosure

  • Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability

  • Weak password policies

  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:

    • Issues that have had a patch available from the vendor for at least 6 months

    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)

    • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)

  • Reports relating to root certificates

  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

  • Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore

  • Vulnerability reports relating to sites or network devices not owned by CoinFLEX

  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Your Report

Please note your report should contain the following at minimum to be considered:
  1. URLs affected
  2. Description
  3. Impact
  4. Proof of concept ( with screenshots or video if applicable)
  5. Mitigation/recommended fix

Rewards

The rewards are granted on a case by case basis depending on the threat level and report’s quality. Rewards can be paid in FLEX, XBT, USDT or ETH.

Critical: 2000+ USDT equivalent
Severe: 500 USDT equivalent
Moderate: 200 USDT equivalent
Low: 100 USDT equivalent

Once your submission is accepted, we will ask you to provide either of the following to receive your reward:

Email address registered on CoinFLEX
Your wallet address