CODEX is a licensed trading platform for cryptocurrencies & digital assets, built on vanguard security infrastructure and revolutionary reward system. CODEX offers one of the lowest fees on the market and trade mining program.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
codex.one |
Web | Critical | Bounty |
api.codex.one |
API | Critical | Bounty |
In-Scope Vulnerabilities
- Remote Code Execution (RCE)
- Authentication bypass
- Theft of privileged information
- XSS/CSRF/Clickjacking affecting sensitive actions (excluding Self-XSS and logout CSRF)
- Privilege escalation
- Database vulnerability, SQL Injection
- Manipulation of account balance
- Other vulnerability with clear potential for financial or data loss
Out-of-Scope Vulnerabilities
- Theoretical vulnerabilities without actual proof of concept
- Email verification deficiencies, expiration of password reset links, and password complexity policies
- DNS issues (i.e. mx records, SPF records, etc.)
- Clickjacking/UI redressing with minimal security impact
- Email or mobile enumeration (E.g. the ability to identify emails via password reset)
- Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
- Internally known issues, duplicate issues, or issues which have already been made public
- Tab-nabbing
- Self-XSS
- Vulnerabilities only exploitable on out-of-date browsers or platforms
- Vulnerabilities related to auto-fill web forms
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Use of known vulnerable libraries without actual proof of concept
- Lack of Secure/HTTPOnly flags on non-security-sensitive cookies
- Issues related to unsafe SSL/TLS cipher suites or protocol version
- Content spoofing
- Cache-control related issues
- Exposure of internal IP address or domains
- Missing security headers that do not lead to direct exploitation
- CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non-critical feature)
- Physical or social engineering attempts (this includes phishing attacks against employees)
- Issues that have no security impact (E.g. Failure to load a web page)
- Assets that do not belong to CODEX Exchange
- UI and UX bugs and spelling or localization mistakes
- Vulnerabilities in third-party applications
- Reports that state that software is out of date/vulnerable without a proof of concept
- Disclosure of known public files or directories, (e.g. robots.txt)
- Missing SPF/DKIM/DMARC entries.
- Weak Captcha
- Recently disclosed 0day vulnerabilities.
- Most brute forcing issues
- Denial of service
- Spamming
- JWT authentication related issues because of its expiration nature
- Avoid compromising any personal data, interruption or degradation of any service.
- Don’t access or modify other user data, localize all tests to your accounts.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- Only the first valid bug is eligible for reward.
- Don’t disclose publicly any vulnerability until you are granted permission to do so.
- Don’t break any law and stay in the defined scope.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
- Comply with the rules of the program.
Actions to avoid
- Testing on accounts other than those that you own
- Automated testing using tools such as scanners
- Excessive request attempts
- Destruction of data
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Making a good faith effort to not leak or destroy any CODEX Exchange user data.
- Not defrauding CODEX Exchange users or CODEX itself in the process of discovery.
Please submit a request ticket at https://support.codex.one Thank you for your efforts in helping keep CODEX Exchange and its users safe!