BingX Exchange: Program Info


Founded in 2018, is a crypto social trading exchange that offers spot, derivatives and copy trading services to more than 100 countries worldwide.
BingX prides itself as the people's exchange by unlocking the fast-growing cryptocurrency market for everyone, connecting users with experts traders and a platform to invest in a simple, engaging and transparent way.

In Scope

Target Type Severity Reward
Web Critical Bounty
Web Critical Bounty
Android Critical Bounty
iOS Critical Bounty
API Critical Bounty

Out of scope

Target Type Severity
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None
Web None

Critical vulnerability

  • Serious vulnerabilities refer to those that occur in the core system business system (core control system, domain control, business distribution system, bastion machine and other management and control systems that can manage a large number of systems) and can cause a large-scale impact. Limited) business system control authority
  • Serious vulnerabilities that can obtain the authority of the core system administrator and can control the core system.
  • Vulnerabilities that include but not limited to:
  • Intranet multiple machine control
  • The core background super administrator rights are obtained and cause a large-scale enterprise core data leakage, which can have a huge impact
  • Smart contract overflow, conditional race vulnerability

High-risk vulnerability

  • System access (getshell, command execution, etc.)
  • SQL injection of the system (background vulnerabilities are downgraded, packaged submissions are upgraded as appropriate) Unauthorized access to sensitive information. Including but not limited to bypassing authentication to directly access the management background, important background weak passwords, SSRF that obtains a large amount of sensitive information on the intranet, etc.)
  • Read any file
  • XXE Vulnerability to Obtain Arbitrary Information
  • Unauthorized operations involving money, bypassing payment logic (requires final use)
  • Serious logical design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
  • Other vulnerabilities affecting users on a large scale. Including but not limited to stored XSS that can be automatically propagated by important pages, stored XSS that can obtain administrator authentication information and successfully exploited, etc.
  • Lots of source code leaks
  • Smart Contract Permission Control Defects

Moderate vulnerability

  • Vulnerabilities that require interaction to affect users. Including but not limited to stored XSS of general pages, CSRF involving core business, etc.
  • Ordinary unauthorized operation. Including but not limited to bypassing restrictions, modifying user information, performing user operations, etc.
  • Denial of service vulnerability. Including but not limited to remote denial of service vulnerabilities that cause denial of service of website applications, etc.
  • Vulnerabilities that can be caused by the successful blasting of sensitive system operations such as arbitrary account login and arbitrary password retrieval due to verification code logic
  • The locally stored sensitive authentication key information is leaked, and it needs to be effectively used.

Low severity vulnerability

  • Local Denial of Service Vulnerability. Including but not limited to client-side local denial of service (parsing file formats, crashes caused by network protocols), exposure of Android component permissions, problems caused by common application permissions, etc.
  • General information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
  • Reflected XSS (including DOM XSS / Flash XSS)
  • Normal CSRF
  • No Rate Limitation. (Each system only accepts one vulnerability of this type)
  • URL redirection vulnerability
  • SMS bomb, mail bomb (Each system only accepts one vulnerability of this type)
  • Other vulnerabilities that are less harmful and cannot prove harmful (such as CORS vulnerabilities that cannot obtain sensitive information)
  • No echo and no successful SSRF exploit


  • It is forbidden to conduct social work and fishing for personnel;
  • Vulnerabilities prohibit external dissemination;
  • Test loopholes are limited to proving tests, and destructive tests are strictly prohibited. If harm is caused unintentionally, it should be reported in time. At the same time, sensitive operations performed during the test, such as deletion, modification, etc., should be explained in the report;
  • The use of scanners for large-scale scanning is prohibited, and the unavailability of business systems or networks will be dealt with in accordance with relevant laws;
  • For testing vulnerabilities, try to avoid directly modifying the page, repeating the pop-up box (xss verification is recommended to use log), stealing cookies, obtaining other user information and other aggressive payloads (if you are testing touch typing, please use dnslog);
  • Be careful to use a highly aggressive payload, please delete it in time, otherwise we have the right to pursue relevant legal responsibilities.
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps