Bitkub
Managed by Hacken

Bitkub

341 days left

Founded in February 2018, Bitkub is a new generation digital asset and cryptocurrency exchange platform that offers advanced cryptocurrency exchange services to individuals who intend to buy, sell, and store cryptocurrencies.

In Scope

Target Type Severity Reward
*.bitkub.com
Web Critical Bounty
iOS Critical Bounty
Android Critical Bounty

In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

OUT OF SCOPE - WEB

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Most brute-forcing issues without clear impact
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. MX records, SPF records, etc.)
  • Server configuration issues (i.e., open ports, etc.)
  • Open redirects
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • Lack of Secure and HTTPOnly cookie flags
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Anything related to Mixed Content
  • Manipulation with Password Reset Token
  • MitM and local attacks
  • No rate limit issues (without clear security impact)
  • Rate Limit Absent on Forgot Password Page

OUT OF SCOPE - MOBILE

  • Attacks requiring physical access to a user's device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Lack of obfuscation/binary protection/root(jailbreak) detection
  • Bypass certificate pinning on rooted devices
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • OAuth & app secret hard-coded/recoverable in IPA, APK
  • Any URI, URL, or path leaked through either the binary, the clipboard, or via memory
  • Sensitive information retained as plaintext in the device’s memory
  • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
  • Exposure of API keys with no security impact (Google Maps API keys etc.)
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, spam, physical or other fraud activities
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • All submissions must include a proof of concept to be considered