CoinEx Security Bounty Program

Introduction
The CoinEx Security Bounty aims to provide global users with a secure, stable and efficient digital currency trading platform. The Program is divided into three levels from L1 to L3 according to the threat degree of potential vulnerabilities, with up to 5,000 USDT as a reward to encourage more users and white hat hackers to discover and report security vulnerabilities. The domain name is *.coinex.com.

Basic Principles
1) CoinEx attaches great importance to the safety of its products and business. CoinEx promises that each reported problem will be followed up, analyzed, dealt with and responded timely.

2) CoinEx may need the help of the reporter when following up the problem, and may require the reporter to reproduce the problem to ensure effective follow-up.

3) CoinEx highlights the responsible vulnerability disclosure and handling process, and promises to give reward and thanks to every user who adheres to the spirit of the white hat hacker, protects users’ interests, and helps CoinEx improve the security quality.

4) CoinEx opposes and condemns all hacking activities that use vulnerability testing as an excuse to damage and harm users’ interests, including but not limited to exploiting vulnerabilities to steal users’ privacy and virtual property, invading business systems, stealing user data, and maliciously spreading vulnerabilities.

5) CoinEx opposes and condemns all acts of using security vulnerabilities to intimidate users and attack competitors.

Rewards and Rating standards

[Level 1]
Definition:
Vulnerabilities of this level have limited hazards or potential security hazards.

Categories:
1) Misuse of the verification code interface, high-frequency verification codes and passwords collision, etc.

2) Less harmful vulnerabilities such as CSRF attacks with insensitive operations, SPF mail forgery.3) Vulnerabilities that affect the availability and stability of the system, causing a response failure of the system.

[Level 2]
Definition:
Vulnerabilities of this level endanger sensitive information or assets security, and can cause a certain range of impacts or certain asset losses.

Categories:
1)Vulnerabilities such as XSS and CSRF attacks that affect some users, cause the leakage of user’s sensitive information, or perform sensitive operations beyond their authority.

2) Use the vulnerabilities in the verification logic, password resetting and other functions to obtain access to user accounts.

3) Vulnerabilities caused by product design defects affect data and asset security.

[Level 3]
Definition:
Vulnerabilities of this level can lead to serious asset loss or leakage of sensitive information in batches.

Categories:
1) Vulnerabilities that damage the assets security of users or platforms, like wallet private key leakage, deposit vulnerabilities, etc..

2) Unauthorized access to the system to obtain system permissions, like SQL injection, remote code execution and other high-risk vulnerabilities, etc.

3) Unauthorized access to sensitive information with immense reach, such as unauthorized access to user accounts, illegal access to sensitive data in the background of the system, etc.

Vulnerability Feedback and Handling Process
[Reporting Stage]
The reporter can send the report to support@coinex.com, or submit the report by submitting a request.

Note: The content of the report should be as detailed as possible, including text, URL, screenshot and other descriptions, and attachments can also be uploaded if necessary.

[Processing Stage]
1) Within three working days, CoinEx staff will confirm the received report and follow up to evaluate the problem.

2) Within seven working days, CoinEx staff will give a conclusion and rating, communicate and confirm with the reporter if necessary, and ask for the reporter's assistance.

[Repair Stage]
1) The business department will fix the reported security issue and arrange to-be-launched update.The repair time depends on the severity of the problem and the difficulty of the repair. The security issue of the client is limited by the version release, and the repair time is determined according to the actual situation.

2) The reporter can review whether the security problem is fixed.

[Completion Stage]
After the repair is completed, CoinEx will distribute the corresponding rewards to reporters according to the “Reward and Rating Standards”.

FAQ
Q: Will CoinEx disclose the information related to the vulnerability report?
A: In order to protect users’ interests and privacy, the report-related information will not be made public.

Q: Does the CoinEx Security Bounty use rewards to conceal security issues?
A: No. First of all, CoinEx believes that related information should not be disclosed in order to protect users’ interests and privacy, which is also a common practice in the industry. Secondly, the rewards from CoinEx are to express gratitude and respect to the reporters, instead of concealing security issues.

Q: Will CoinEx “ignore” the vulnerability and then secretly fix it?
A: Absolutely not. Once the “vulnerability” submitted by the reporter enters the “ignored” state, the relative staff will explain the reason in the report feedback. The common situation is that this "vulnerability" is not considered a vulnerability and is evaluated as a BUG, but in any case, CoinEx will not “secretly fix the vulnerability.”