Welcome to the Bitexen Vulnerability Reporting Program. As one of Turkey's largest crypto exchanges, providing a secure platform to our customers is one of our main priorities. Therefore, we invite everyone to join the Bitexen Vulnerability Reporting Program.
In Scope
| Target | Type | Reward |
|---|---|---|
www.bitexen.com |
Web | Bounty |
global.bitexen.com |
Web | Bounty |
com.bitexen.exchange - Android App BitexenAndroid App Bitexen https://play.google.com/store/apps/details?id=com.bitexen.exchange |
Android | Bounty |
ID 1388036461 - iOS App BitexeniOS App Bitexen https://apps.apple.com/tr/app/bitexen/id1388036461 |
iOS | Bounty |
com.bitexenglobal.exchangeapp - Android App Bitexen GlobalAndroid App Bitexen Global https://play.google.com/store/apps/details?id=com.bitexenglobal.exchangeapp |
Android | Bounty |
ID 1634643482 - iOS App Bitexen GlobaliOS App Bitexen Global |
iOS | Bounty |
IN-SCOPE VULNERABILITIES (WEB, MOBILE)
We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Remote code execution (RCE)
- Injection vulnerabilities (SQL, XXE)
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Directory traversal
- Other vulnerability with a clear potential loss
Out Of Scope
- Domains and applications not listed in scope (Critical or high level vulnerabilities may be considered in scope)
- Vulnerable libraries and versions (Can be considered in scope if there is an impacting PoC or exploitation method)
- Theoretical, non-PoC-enabled or ineffective attacks
- Automated tool and scan reports
- Non-repeatable vulnerabilities
- Brute force and social engineering attacks
- DoS attacks (When you find a security vulnerability that may be a DoS cause, forward it without verification)
- Self XSS
- Attacks based on the use of weak or leaked passwords
- CSRF vulnerabilities in input and output functions
- Security flaws in HTTP headers
- Cookie flag missing
- Vulnerabilities on non-critical servers that could lead to information disclosure
- Attacks that require Bitexen employee account or internal network access
- Attacks that require MITM or physical access
- Cache Poisoning vulnerabilities
- SSL/TLS configuration deficiencies (using TLS 1.1 etc.)
- E-Mail configuration deficiencies (SPF/DMARC/DKIM records etc.)
- Open Redirects vulnerabilities that cannot be proven to have an effect (such as cookie theft)
- Absence of rate limiting (in systems with rate limiting, bypassing the rate limit will be considered within the scope)
- UX and UI problems
- Username enumeration vulnerabilities
- Vulnerabilities that can only be exploited in outdated browsers, operating systems or platforms
- Vulnerabilities found in third-party applications used
- Deficiencies in
Best Practice
accepted controls - Vulnerabilities on mobile devices that require root, jailbreak or device modification
You can send your questions about systems/vulnerabilities that are not specified as out of scope.
- The first report for the same vulnerability is accepted.
- Reports for vulnerabilities already known by Bitexen are not accepted.
- Do not share the vulnerabilities found on other platforms without Bitexen's permission. Reports that are found to be shared will lose their reward.
- Reports sent for vulnerabilities specified as out of scope are not accepted.
- Care should be taken not to damage the systems and the confidentiality of personal data.
- Other user data should not be accessed or changed, and all tests should be performed with the accounts under your control. You can forward vulnerabilities that may authorize access to user data without verifying or only by verifying them on your own accounts.
- Social engineering methods (phishing, vishing, smishing, etc.) and physical attacks (computer theft, SIM card copying, etc.) should not be used. DoS attacks should not be attempted.
- Reports can be submitted in Turkish or English.
- All details about the vulnerability must be shared and a PoC must be given. You can access the sample report formats at report-templates page.
- In cases where chain security vulnerabilities are detected by using more than one security vulnerabilities, separate reporting can be made.
Reward Criteria
- Bitexen employees and their first degree relatives cannot win rewards.
- You must be at least 14 years old to be eligible for the reward.
- Detected vulnerabilities should not be shared publicly.
- There should be no legal obstacles to the giving of the reward
Safe Harbor
Bitexen will not take any legal action for researches and reports made in accordance with the rules specified on this page.
In case of sending a report, it is considered that the rights of the submitted content are transferred to Bitexen.
In case the security vulnerabilities in the reports submitted within the scope of the program are related to the products and services, network structures, systems, applications and information of third parties other than Bitexen, the relevant reports are not considered within the scope of the Bitexen Vulnerability Reporting Program and therefore the relevant third parties may initiate legal action in such a reporting situation and We would like to inform you that we, as Bitexen, are not responsible for the situation. Bitexen does not allow security research other than its own products and services and does not provide any person with an authorization in this regard.
You can access the document, which includes detailed rules and legal information about the Bitexen Vulnerability Reporting Program, from the page policy-details.
Happy hunting! ᕕ( ᐛ )ᕗ
Bitexen Vulnerability Reporting Program has been prepared to receive controlled news about security vulnerabilities that may be found in our systems and to encourage researchers. If you think that the security of your Bitexen account has been compromised, change your password as soon as possible and contact our support team via [email protected].
Testing and Reporting
You can help us by following the methods below so that we do not confuse the traffic generated during your tests with the attacker traffic.
- You can use custom HTTP headers. (Example: X-BTXN-VDP: )
- You can specify your IP address in the report.
Be sure to only use accounts that you control during the testing process. If you have found a vulnerability to run commands on systems, just use the id andhostname commands. Do not use automated tools. If you have found a potentially damaging vulnerability, contact us to obtain additional testing permissions before verifying.
Allowed/not allowed actions for remote code execution vulnerabilities:
- Allowed
* Harmless command attempts on input fields on the web frontend (such as whoami`
, hostname,ifconfig) * File uploads that run a harmless command as hard-coded * Commands id andhostname for proof of exploited vulnerability - Not Allowed * File uploads (webshell etc.) that can lead to free command execution * File deletion, editing, changing permissions * Actions that may affect normal operations (reboot etc.) * Commands and file accesses executed other than those required for proof of vulnerability
The following information should also be provided when reporting remote code execution vulnerabilities:
- Source IP address, destination IP address and port information
- Timestamp
- Requests and responses to the server
- Files and directories that were accessed intentionally or unintentionally during the test.