We are now publicly launching our Bug Bounty Program through the CEX.IO platform to continue improving the security of our products and services.

 

Policy

 

  • The Computer Fraud and Abuse Act:

CEX.IO undertakes not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, accidental violations if the researcher fully complies with this Policy.

We will not bring a claim against researchers for circumventing the technological measures we have used to protect the applications in the scope of the Bug Bounty Program. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.

Please submit an appropriately composed report before engaging in conduct that may be inconsistent with or unaddressed by this policy.

This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy

CEX.IO reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).

 

  • Confidentiality:

Any information you receive or collect about us, our affiliates, or any of our users, employees in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program.

You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. To protect the Confidential Information you shall use all reasonable precautions required to be used for protection of such information, and shall keep the Confidential Information, including documents and copies thereof, containing Confidential Information, in a way preventing third parties’ unauthorized access thereto.

You must send an email to the email address BugBountyProgram@cex.io with the relevant subject to report vulnerability information to us.

CEX.IO does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of CEX.IO Users or publicize this information on the open, public-facing internet without CEX.IO’s consent or (2) modify or corrupt data belonging to CEX.IO in order to extract and publicly disclose data belonging to CEX.IO.

All the Confidential Information is owned solely by CEX.IO (or its licensors) and the unauthorized disclosure or use of such Confidential Information may cause irreparable harm and significant injury, the degree of which may be difficult to ascertain. Accordingly, we will have the right to pursue an immediate injunction enjoining any breach of these provisions, as well as the right to pursue any and all other rights and remedies available in law or equity for such breach including indemnity.

If you fail to protect the Confidential Information specified herein, and in case it is found out that the Confidential Information has been disclosed and/or misused, including, but not limited to, posting publicly (including on social media) materials with Confidential Information, content containing false and/or impairing goodwill, you shall be obliged to pay a fine in the amount of USD 100 000 (one hundred thousand) to be accrued in addition to any damages incurred.

Notwithstanding the end of the term of your Submission or closing the issue in connection with fixing and payment of remuneration, the provisions regarding Confidential Information will survive for ten (10) years after the Confidential Information has been received and, with respect to Confidential Information that constitutes a trade secret, for so long as such Confidential Information remains a trade secret.

 

  • Report requirements:

  1. Do not access customer or employee personal information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  2. Stop testing and report the issue immediately if you gain access to any non-public application or credentials.
  3. Do not disrupt production systems, or destroy, or alter data during security testing.
  4. Send an email to the address BugBountyProgram@cex.io with the relevant subject to report vulnerability information to us.
  5. Collect only the information necessary to demonstrate the vulnerability.
  6. Submit any necessary screenshots, screen captures, network requests, reproduction steps, or similar to the email address BugBountyProgram@cex.io (do not use third party file sharing sites).
  7. When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account as this will contradict the CEX.IO Terms of Use.
  8. When investigating a vulnerability, please avoid the destruction of data.
  9. You are not allowed to exploit a security vulnerability for any other way than prescribed in this Policy.
  10. Only the first verified vulnerability report can receive the reward.

 

To help streamline our intake process, we ask that submissions include:

  1. Vulnerability Types and Description of the vulnerability
  2. Steps to reproduce the vulnerability
  3. Proof of use (e.g. any necessary screenshots, screen captures, network requests,)
  4. Vulnerability Exploitation Probability
  5. List of URLs and affected payload parameters
  6. Other additional payloads, Evidence of Vulnerability, Solutions
  7. Browser version, OS and/or app version used for testing

Note: Failure to comply with these requirements or the provision of knowingly false information may result in ineligibility for a bounty and/or removal from the program.

 

  • Exclusions:

The following issues are outside the scope of our vulnerability rewards program:

Description
Denial of Service (DoS/DDoS) vulnerabilities.
Low severity issues.
Cross-site Request Forgery (CSRF) with minimal security implications.
Missing cookie flags on non-security-sensitive cookies.
UI and UX bugs.
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
Disclosure of robots.txt file
Email spoofing (SPF misconfigurations)
Attacks requiring physical access to a user’s device
Social engineering of CEX.IO staff or contractors

If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the respective project team.

 

  • Rights and Licenses:

By making a Submission, you give us the right to use your Submission for any purpose.

We may modify the Program Terms or cancel the Bug Bounty Program at any time.

 

Rewards

CEX.IO may, at its sole discretion, provide rewards to eligible reporters of qualified vulnerabilities. The reward can be paid in any fiat currency or cryptocurrency as CEX.IO will deem appropriate.

The following table outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see the section on Scope).

Category
Examples

Core CEX.IO

Non-Core
Remote code execution Command injection $20,160 $10,080
Injection SQLi $12,460 $6,230
Broken Authentication and Session Management Activities on behalf of a user $7,700 $3,850
Administrative functionality Access to internal Twitter applications $12,460 $6,230
Account takeover OAuth vulnerabilities $7,700 $3,850
Other valid vulnerabilities  Information leakage, XSS $280 – $2,940 $140 – $1,470


Scopes

 

  • In Scope

Domain *.cex.io Critical Eligible
Other Mobile Applications

https://play.google.com/store/apps/details?id=io.cex.app.prod

Critical Eligible
Other Mobile Applications

https://apps.apple.com/us/app/cex-io-bitcoin-exchange/id1047225016

Critical Eligible

 

  • Out of Scope