BingX Exchange: Program Info

Critical vulnerability

• Serious vulnerabilities refer to those that occur in the core system business system (core control system, domain control, business distribution system, bastion machine and other management and control systems that can manage a large number of systems) and can cause a large-scale impact. Limited) business system control authority
• Serious vulnerabilities that can obtain the authority of the core system administrator and can control the core system.
• Vulnerabilities that include but not limited to:
• Intranet multiple machine control
• The core background super administrator rights are obtained and cause a large-scale enterprise core data leakage, which can have a huge impact
• Smart contract overflow, conditional race vulnerability

High-risk vulnerability

• System access (getshell, command execution, etc.)
• SQL injection of the system (background vulnerabilities are downgraded, packaged submissions are upgraded as appropriate) Unauthorized access to sensitive information. Including but not limited to bypassing authentication to directly access the management background, important background weak passwords, SSRF that obtains a large amount of sensitive information on the intranet, etc.)
• Read any file
• XXE Vulnerability to Obtain Arbitrary Information
• Unauthorized operations involving money, bypassing payment logic (requires final use)
• Serious logical design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
• Other vulnerabilities affecting users on a large scale. Including but not limited to stored XSS that can be automatically propagated by important pages, stored XSS that can obtain administrator authentication information and successfully exploited, etc.
• Lots of source code leaks
• Smart Contract Permission Control Defects

Moderate vulnerability

• Vulnerabilities that require interaction to affect users. Including but not limited to stored XSS of general pages, CSRF involving core business, etc.
• Ordinary unauthorized operation. Including but not limited to bypassing restrictions, modifying user information, performing user operations, etc.
• Denial of service vulnerability. Including but not limited to remote denial of service vulnerabilities that cause denial of service of website applications, etc.
• Vulnerabilities that can be caused by the successful blasting of sensitive system operations such as arbitrary account login and arbitrary password retrieval due to verification code logic
• The locally stored sensitive authentication key information is leaked, and it needs to be effectively used.

Low severity vulnerability

• Local Denial of Service Vulnerability. Including but not limited to client-side local denial of service (parsing file formats, crashes caused by network protocols), exposure of Android component permissions, problems caused by common application permissions, etc.
• General information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
• Reflected XSS (including DOM XSS / Flash XSS)
• Normal CSRF
• No Rate Limitation. (Each system only accepts one vulnerability of this type)
• URL redirection vulnerability
• SMS bomb, mail bomb (Each system only accepts one vulnerability of this type)
• Other vulnerabilities that are less harmful and cannot prove harmful (such as CORS vulnerabilities that cannot obtain sensitive information)
• No echo and no successful SSRF exploit

OUT-OF-SCOPE VULNERABILITIES

• Email Forgery Vulnerability / DMARC misconfigured
• Broken social media channel(https://bingx.com/en-us/community/)
• Bugs of Official Verification(https://bingx.com/zh-tw/official-verification)
• Wordpress website(https://blog.bingx.com https://qa.bingx.com ...)
• Some functional bugs cannot cause security risks