Introduction

CoinEx Security Bounty Program aims to provide global users with a secure, stable, and efficient digital currency trading platform. This program divides potential vulnerabilities into three levels (L1 to L3) based on risks. To encourage more users and white hats to discover and report security vulnerabilities, a bounty payment of up to 10,000 USDT will be rewarded to those who submit valid reports.

The principles, rewards, and evaluation criteria of the CoinEx Security Bounty Program are outlined below.

Basic Principles

1. CoinEx Security Bounty Program ONLY accepts reports for vulnerabilities found on the official CoinEx website at www.coinex.com.

2. CoinEx attaches great importance to the security of its products and services. We promise to follow up, evaluate and fix all reported issues and respond to all reports timely.

3. To ensure effective follow-up, CoinEx may need assistance from the security researcher to reproduce the issue.

4. CoinEx highlights responsible vulnerability disclosure and handling. We promise to offer recognition and reward to every user who adheres to the white hat spirit, protects users' interests, and helps CoinEx improve security.

5. CoinEx opposes and condemns all hacking activities that use vulnerability testing as an excuse to damage the interests of CoinEx users, including but not limited to exploiting vulnerabilities to violate user privacy and steal digital assets, invade business systems, steal user data, and maliciously spread vulnerabilities.

6. CoinEx opposes and condemns all acts of using security vulnerabilities to intimidate users and attack competitors.

7. CoinEx reserves the right to make a final interpretation of the security bounty program at any time.

Rewards and Evaluation Criteria

•  Level 1

Definition: Vulnerabilities of this level may pose limited hazards or potential security risks.

Categories:

(1) Misuse of the verification code interface, brute force attacks on verification codes and passwords

(2) Less harmful vulnerabilities such as CSRF attacks with non-sensitive operations, and SPF mail forgery.

(3) Vulnerabilities that affect the availability and stability of the system, causing a response failure of the system.

• Level 2

Definition: Vulnerabilities of this level compromise sensitive information or asset security. They may cause certain impacts or asset losses.

Categories:

(1) Vulnerabilities such as XSS and CSRF attacks that affect some users, cause the leakage of users' credentials or trigger unauthorized sensitive operations.

(2) Vulnerabilities in verification logic, password reset, etc. that can be exploited to access user accounts.

(3) Vulnerabilities in product design that compromise data and asset security

• Level 3
  

Definition: Vulnerabilities of this level can cause severe asset loss or massive leakage of sensitive information.

Categories:

(1) Vulnerabilities that damage the security of user assets or company property, such as private key leakage, deposit vulnerabilities, etc.

(2) High-risk vulnerabilities such as SQL injection, remote code execution, etc. that allow unauthorized system access to obtain system permissions.

(3) Unauthorized access to sensitive information, such as unauthorized access to user accounts, illegal access to sensitive data in the system backend, etc.

Security Bounty Program Process

1. Submit a report

The security researcher can send the report to support@coinex.com, or open a ticket to submit the report.

Note: The report should be as detailed as possible, including text, URL, screenshots, etc. If necessary, attach a file.

2. Vulnerability investigation and evaluation

(1) Within three working days, CoinEx will review the report and investigate the issue.

(2) Within seven working days, CoinEx will give a conclusion and determine the vulnerability level. If necessary, we will confirm further with the researcher and your assistance would be much appreciated.

3. Fix the reported issue

(1) Our technical department will fix the reported security issue and schedule an update. The repair time depends on the severity of the issue and technical difficulties. For security issues in the clients, the repair time depends on the situation since it's affected by the release schedule.

(2) The researcher can review whether the security issue is fixed.

4. Final stage

After the repair is completed, CoinEx will distribute the bounty rewards to the security researcher according to the “Reward and Evaluation Criteria”.

FAQ

Q: Will CoinEx disclose the information related to the vulnerability report?

A: In order to protect users' interests and privacy, we will not publicly disclose any information about the report.

Q: Is the CoinEx Security Bounty Program a disguise for using rewards to conceal security issues?

A: No. First of all, CoinEx believes that related information should not be disclosed in order to protect users’ interests and privacy, which is also a common practice in the industry. Secondly, the rewards are intended to express gratitude and respect to the security researcher, instead of concealing security issues.

Q: Will CoinEx “ignore” the vulnerability and then secretly fix it?

A: Absolutely not. If a vulnerability report is “ignored”, our staff will explain the reason in the report feedback. Usually, this happens because the "vulnerability" is not considered a vulnerability but evaluated as a BUG. CoinEx will not “secretly fix the vulnerability” in any case.