CoinFLEX Bug Bounty Program
At CoinFLEX, security is of the utmost importance to us and our users. Hence, we wish to present to you the CoinFLEX Bug Bounty Program. The aim of this program is to more effectively engage with our community and supporters in reporting any bugs and vulnerabilities.
Responsible Disclosure Policy
CoinFLEX aims to keep its services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our services, we appreciate your help in disclosing it to us in a responsible manner.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
This program does 不能 allow disclosure. You may not release information about vulnerabilities found in this program to the public.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to CoinFLEX.
Bounty Program Rules
Contact email: [email protected]
Please provide detailed reports with reproducible steps.
If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.
We have a testnet (Stage) environment at https://coinflex.com. If you believe a reproduction could potentially harm service of the platform, please do a reproduction on Stage.
Requirements
We require that researchers:
Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.
Perform research only within the scope.
Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.
When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
If you fulfill these requirements, CoinFLEX will:
Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.
Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.
To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
If you have any questions regarding the CoinFLEX program, please reach out to [email protected]
Focus Areas
coinflex.com/* (this excludes subdomains)
notes.finance/*
We encourage researchers to focus their efforts in the following areas:
Cross Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Brute force
SQL Injection (SQLi)
Insecure storage
Authentication related issues
Authorization related issues
Data Exposure
Redirection attacks
Remote Code Execution
Business Logic
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
Mobile-specific API vulnerabilities
Excluded Submission Types
Vulnerability reports which do not include careful manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors or best practices without proof of exploitability – will be closed as Not Applicable.
The CoinFLEX Bug Bounty program excludes certain vulnerability classes as below:
Cookie expiration
Cookie migration/sharing
Forgot password autologin
Autologin token reuse
Static content over HTTP
Vulnerabilities related to offline playback.
Free trials
Same Site Scripting
Physical Testing
Social Engineering
For example, attempts to steal cookies, fake login pages to collect credentials
Phishing
Resource Exhaustion attacks
Denial of service attacks (DDoS)
Issues related to rate limiting
Login or Forgot Password page brute force and account lockout not enforced
Services listening on port 80
Internal IP address disclosure
Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability
Weak password policies
Vulnerabilities impacting only old/end-of-life browsers/plugins including:
Issues that have had a patch available from the vendor for at least 6 months
Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
Reports relating to root certificates
Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore
Vulnerability reports relating to sites or network devices not owned by CoinFLEX
Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.
Additional Terms
Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.
Your Report
- URLs affected
- Description
- Impact
- Proof of concept ( with screenshots or video if applicable)
- Mitigation/recommended fix
奖励
The rewards are granted on a case by case basis depending on the threat level and report’s quality. Rewards will be paid in BTC.
Critical: 5000+ USDT equivalent
Severe: 500 USDT equivalent
Moderate: 200 USDT equivalent
Low: 25 USDT equivalent
Once your submission is accepted, we will ask you to provide either of the following to receive your reward:
Email address registered on CoinFLEX
Your wallet address
Payments are made every Monday at 3pm UTC. If you have not received payment or a response then please get in touch again.
