CODEX Exchange

CODEX

CODEX is a licensed trading platform for cryptocurrencies & digital assets, built on vanguard security infrastructure and revolutionary reward system. CODEX offers one of the lowest fees on the market and trade mining program.

In Scope

Target Type Severity Reward
codex.one
Web Critical Bounty
api.codex.one
API Critical Bounty
Severity (CVSSv3) Reward
Critical 3000$
High 1500$
Medium 500$
Low 200$

In-Scope Vulnerabilities


  • Remote Code Execution (RCE)
  • Authentication bypass
  • Theft of privileged information
  • XSS/CSRF/Clickjacking affecting sensitive actions (excluding Self-XSS and logout CSRF)
  • Privilege escalation
  • Database vulnerability, SQL Injection
  • Manipulation of account balance
  • Other vulnerability with clear potential for financial or data loss

Out-of-Scope Vulnerabilities


  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • DNS issues (i.e. mx records, SPF records, etc.)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of Secure/HTTPOnly flags on non-security-sensitive cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non-critical feature)
  • Physical or social engineering attempts (this includes phishing attacks against employees)
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to CODEX Exchange
  • UI and UX bugs and spelling or localization mistakes
  • Vulnerabilities in third-party applications
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Missing SPF/DKIM/DMARC entries.
  • Weak Captcha
  • Recently disclosed 0day vulnerabilities.
  • Most brute forcing issues
  • Denial of service
  • Spamming
  • JWT authentication related issues because of its expiration nature
  • Avoid compromising any personal data, interruption or degradation of any service.
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
  • Comply with the rules of the program.

Actions to avoid


  • Testing on accounts other than those that you own
  • Automated testing using tools such as scanners
  • Excessive request attempts
  • Destruction of data
  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any CODEX Exchange user data.
  • Not defrauding CODEX Exchange users or CODEX itself in the process of discovery.

Please submit a request ticket at https://support.codex.one Thank you for your efforts in helping keep CODEX Exchange and its users safe!