Introduction
CoinEx Wallet Security Bounty Program aims to provide global users with a secure, stable, and efficient digital currency trading platform. This program divides potential vulnerabilities into three levels (L1 to L3) based on risks. To encourage more users and white hats to discover and report security vulnerabilities, a bounty payment of up to 5,000 USDT will be rewarded to those who submit valid reports.
The principles, rewards, and evaluation criteria of the CoinEx Wallet Security Bounty Program are outlined below.
Basic Principles
1. CoinEx Wallet attaches great importance to the security of its products and services. We promise to follow up, evaluate and fix all reported issues and respond to all reports timely.
2. To ensure effective follow-up, CoinEx Wallet may need assistance from the security researcher to reproduce the issue.
3. CoinEx Wallet highlights responsible vulnerability disclosure and handling. We promise to offer recognition and reward to every user who adheres to the white hat spirit, protects users' interests, and helps CoinEx Wallet improve security.
4. CoinEx Wallet opposes and condemns all hacking activities that use vulnerability testing as an excuse to damage the interests of CoinEx Wallet users, including but not limited to exploiting vulnerabilities to violate user privacy and steal digital assets, invade business systems, steal user data, and maliciously spread vulnerabilities.
5. CoinEx Wallet opposes and condemns all acts of using security vulnerabilities to intimidate users and attack competitors.
6. CoinEx Wallet reserves the right to make a final interpretation of the security bounty program at any time.
Rewards and Evaluation Criteria
Level | Reward |
Level 1 |
100-500 USDT |
Level 2 |
750-2,000 USDT |
Level 3 |
2,500-5,000 USDT |
- Level 1
Definition: Vulnerabilities of this level may pose limited hazards or potential security risks.
Categories:
(1) Misuse of the verification code interface, brute force attacks on verification codes and passwords
(2) Less harmful vulnerabilities such as CSRF attacks with non-sensitive operations, and SPF mail forgery.
(3) Vulnerabilities that affect the availability and stability of the system, causing a response failure of the system.
- Level 2
Definition: Vulnerabilities of this level compromise sensitive information or asset security. They may cause certain impacts or asset losses.
Categories:
(1) Vulnerabilities such as XSS and CSRF attacks that affect some users, cause the leakage of users' credentials or trigger unauthorized sensitive operations.
(2) Vulnerabilities in verification logic, password reset, etc. that can be exploited to access user accounts.
(3) Vulnerabilities in product design that compromise data and asset security
-
Level 3
Definition: Vulnerabilities of this level can cause severe asset loss or massive leakage of sensitive information.
Categories:
(1) Vulnerabilities that damage the security of user assets or company property, such as private key leakage, deposit vulnerabilities, etc.
(2) High-risk vulnerabilities such as SQL injection, remote code execution, etc. that allow unauthorized system access to obtain system permissions.
(3) Unauthorized access to sensitive information, such as unauthorized access to user accounts, illegal access to sensitive data in the system backend, etc.
Security Bounty Program Process
1. Submit a report
The security researcher can send the report to support@wallet.coinex.com, or open a ticket to submit the report.
Note: The report should be as detailed as possible, including text, URL, screenshots, etc. If necessary, attach a file.
2. Vulnerability investigation and evaluation
(1) Within three working days, CoinEx Wallet will review the report and investigate the issue.
(2) Within seven working days, CoinEx Wallet will give a conclusion and determine the vulnerability level. If necessary, we will confirm further with the researcher and your assistance would be much appreciated.
3. Fix the reported issue
(1) Our technical department will fix the reported security issue and schedule an update. The repair time depends on the severity of the issue and technical difficulties. For security issues in the clients, the repair time depends on the situation since it's affected by the release schedule.
(2) The researcher can review whether the security issue is fixed.
4. Final stage
After the repair is completed, CoinEx Wallet will distribute the USDT-TRC20 bounty rewards to the security researcher according to the “Reward and Evaluation Criteria”.
FAQ
Q: Will CoinEx Wallet disclose the information related to the vulnerability report?
A: In order to protect users' interests and privacy, we will not publicly disclose any information about the report.
Q: Is the CoinEx Wallet Security Bounty Program a disguise for using rewards to conceal security issues?
A: No. First of all, CoinEx Wallet believes that related information should not be disclosed in order to protect users’ interests and privacy, which is also a common practice in the industry. Secondly, the rewards are intended to express gratitude and respect to the security researcher, instead of concealing security issues.
Q: Will CoinEx Wallet “ignore” the vulnerability and then secretly fix it?
A: Absolutely not. If a vulnerability report is “ignored”, our staff will explain the reason in the report feedback. Usually, this happens because the "vulnerability" is not considered a vulnerability but evaluated as a BUG. CoinEx Wallet will not “secretly fix the vulnerability” in any case.