Bitkub: Program Info

In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Database vulnerability, SQLi
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Other vulnerability with a clear potential loss

OUT OF SCOPE - WEB

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Most brute-forcing issues without clear impact
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
• Certificates/TLS/SSL related issues
• DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
• Server configuration issues (i.e., open ports, etc.)
• Open redirects
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Lack of Secure and HTTPOnly cookie flags
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Anything related to Mixed Content
• Manipulation with Password Reset Token
• MitM and local attacks
• No rate limit issues (without clear security impact)
• Rate Limit Absent on Forgot Password Page

OUT OF SCOPE - MOBILE

• Attacks requiring physical access to a user's device
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Any URI, URL, or path leaked through either the binary, the clipboard, or via memory
• Sensitive information retained as plaintext in the device’s memory
• Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
• Exposure of API keys with no security impact (Google Maps API keys etc.)