Requirements

We require that researchers:

• Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

• Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

• Perform research only within the scope.

• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

• Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

• If you fulfill these requirements, CoinFLEX will:

• Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)

• Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.

• Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.

To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the CoinFLEX program, please reach out to [email protected]

Focus Areas

We encourage researchers to focus their efforts in the following areas:

• Cross Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Brute force

• SQL Injection (SQLi)

• Insecure storage

• Authentication related issues

• Authorization related issues

• Data Exposure

• Redirection attacks

• Remote Code Execution

• Business Logic

• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

• Mobile-specific API vulnerabilities

Excluded Submission Types

Vulnerability reports which do not include careful manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors or best practices without proof of exploitability – will be closed as Not Applicable.

The CoinFLEX Bug Bounty program excludes certain vulnerability classes as below:

• Clickjacking

• Cookie valid after logout

• Cookie valid after password change/reset

• Cookie expiration

• Cookie migration/sharing

• Forgot password autologin

• Autologin token reuse

• Static content over HTTP

• Vulnerabilities related to offline playback.

• Free trials

• Same Site Scripting

• Physical Testing

• Social Engineering

  • For example, attempts to steal cookies, fake login pages to collect credentials

• Phishing

  • Denial of service attacks (DDoS)

  • Resource Exhaustion attacks

• Issues related to rate limiting

• Login or Forgot Password page brute force and account lockout not enforced

• Services listening on port 80

• Internal IP address disclosure

• Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability

• Weak password policies

• Vulnerabilities impacting only old/end-of-life browsers/plugins including:

  • Issues that have had a patch available from the vendor for at least 6 months

  • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)

  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)

• Reports relating to root certificates

• Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

• Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore

• Vulnerability reports relating to sites or network devices not owned by CoinFLEX

• Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.