Vulnerability Tiers and Rewards

Extreme: $30,000 - $1,000,000 Critical: $5,000 - $30,000 High: $2,000 - $5,000 Medium: $600 - $2,000 Low: $50 - $600

Rewards are based on OKX's internal matrix and are at OKX's discretion.

Note: Unlisted vulnerabilities will be assessed using CVSS v3.1 and internal business impact analysis.

---

Web2 Vulnerabilities

Focus: okx.com and OKX web platforms

Critical

• RCE: Arbitrary code execution on OKX servers
• SQL Injection (Core DB): Large-scale data access/modification in core DB
• Admin Backend Takeover: Gaining critical admin privileges
• Mass Account Takeover: Systemic takeover of >50% of user accounts
• System Command Execution: OS commands on servers

High

• Stored XSS Worms: Self-replicating XSS on critical user-facing pages
• CSRF (Critical Actions): Leads to ATO or unauthorised asset actions
• Account Access at Scale: Unauthorised multi-account access via auth/authz flaws
• SQL Injection (Limited): Extracting specific sensitive data
• Source Code Leakage: Significant backend/internal code exposed
• SSRF (Contextual Impact): Reaches internal services; severity based on access achieved

Medium

• Stored XSS (Interaction): Persistent XSS requiring user interaction
• CSRF (Core Business): Targets non-critical business actions
• Auth Bypass (Limited): Unauthorised access without financial impact
• Subdomain Takeover: Unused subdomains with reputational/phishing risk
• Verification Code Flaws: Weaknesses in login or password reset logic
• Sensitive Data Exposure: Encrypted/internal user data disclosed
• Cleartext Credentials: Hardcoded credentials in source/config, excluding API keys

Low

• Reflected XSS: Non-persistent XSS in URLs or parameters
• DOM/Flash XSS: Client-side XSS, no backend interaction
• Open Redirects: Unvalidated redirects to external domains
• General Info Leaks: Internal paths, directories, or debug interfaces exposed
• Common CSRF: Targets non-sensitive actions
• HTTP Header Manipulation: Low-impact header modification

---

Mobile Vulnerabilities

Focus: OKX official mobile apps

Critical

• Remote Exploits: App integrity compromise or code execution on OKX infrastructure
• Mass Data Breach: Unauthorised access to large volumes of user data
• Admin Privilege Takeover: Backend admin access via mobile vectors
• System Command Execution: OS commands on application servers
• SQL/NoSQL Injection: Mass data exfiltration/modification or system compromise via mobile APIs

High

• CSRF (Critical Actions): Leads to ATO or unauthorised asset actions
• SSRF (Contextual Impact): Accesses internal systems via mobile endpoints
• Sensitive Data Exposure: Sensitive info leaked from app
• Logic Flaws (Fund Impact): Unauthorised balance manipulation or transactions
• Source Code Leakage: Significant application source code exposed
• Unauthorised Operations: Unauthorised financial operations via app exploits

Medium

• Stored XSS (Interaction): Persistent XSS in mobile components
• CSRF (Core Business): Targets non-critical business logic
• Auth Bypass (Limited): Unauthorised data/config access without financial impact
• Local Storage Leaks: Session tokens or credentials disclosed
• Verification Flaws: Weaknesses in OTP, login, or reset mechanisms
• Cleartext Credentials: Hardcoded secrets in app files, excluding API keys

Low

• Component Exposure: Exported Android activities or iOS services exposed
• Open Redirects: Unvalidated redirects in app flows
• HTTP Header Issues: Minor header manipulation

---

Desktop Client Vulnerabilities

Focus: OKX desktop clients - Windows/MacOS (from okx.com)

Critical

• RCE: Arbitrary code execution on client or server via desktop app
• Admin Privilege Takeover: Backend admin control via client
• System Command Execution: OS commands via misconfigurations or unsafe input

High

• CSRF (ATO or Fund Transfers): Forged requests causing critical authenticated actions
• SSRF (Contextual Impact): Forged requests to internal services
• Sensitive Data Exposure: Encrypted seeds or local sensitive data exposed
• Transaction Disruptions: Bugs preventing trading, deposits, or withdrawals
• Logic Flaws (Fund Impact): Client-side manipulation of balances or transfers

Medium

• CSRF (Core Business): Forging non-sensitive client actions
• Auth Bypass (Limited): Unauthorised access to user configs or restricted views
• Local Storage Leaks: Session tokens or auth secrets exposed
• Cleartext Credentials: Hardcoded secrets (excl. API keys) in configs or binaries

Low

• Local DoS: App crash via malformed files or inputs
• Minor Misconfigurations: Temporary/local files with no sensitive data

---

Web3 Vulnerabilities

Focus: OKX Web3 Wallet, blockchain infrastructure, or funds

Critical

• Remote exploits on validators/contracts or admin takeovers
• Code execution on production infrastructure
• Stealing funds or exfiltrating sensitive data at scale
• Full bypass of authentication or authorisation
• Affects majority of users or business-critical functions

High

• Unauthorised access to sensitive data or funds (limited scope)
• Account takeover requiring specific user interaction
• Smart contract exploits with financial impact requiring specific states

Medium

• Smart contract bugs requiring manual triggering without direct fund loss
• Wallet address manipulation altering front-end display only
• Replay of signed messages requiring complex setup
• Incorrect chainID, nonce, or gas causing inefficiencies
• DApp overbroad permission prompts (user must accept)

Low

• RPC metadata disclosure without sensitive data
• Node instability causing UI/sync delays, not affecting tx execution
• Minor signature validation errors that cannot bypass permission
• Smart contract visibility issues not affecting logic
• dApp UI typos/inaccuracies not tied to transaction outcome

---

Additional Guidelines

• IDOR: Must demonstrate ID discovery path, not brute force only
• Mobile: Report once per vulnerability (iOS/Android)
• Wallet Extensions: Report once per vulnerability (Chrome/Edge/Safari)
• Duplicates: Same issue across multiple assets = one report
• Non-exploitable or low-impact bugs will not be rewarded but may be acknowledged
• Compliance reports assessed case by case
• All vulnerabilities must be manually validated by the researcher

AI Usage & Disclosure

• Disclose any AI tool use in discovery, testing, or report writing
• AI may assist with drafting/tooling but findings must be independently validated
• Auto-generated or unvalidated AI reports may be closed as Not Applicable or Spam

---

Out of Scope

• Automated tool/scanner reports
• False positive SQLi without PoC
• Spam, mail spoofing, mail bomb
• Self-XSS
• Known-vulnerable libraries without PoC
• Clickjacking on non-sensitive pages
• CSRF on unauthenticated or low-impact forms
• Attacks requiring MITM, root/jailbreak, or physical access
• CSV injection without demonstrated exploitation
• Missing SSL/TLS, CSP, HttpOnly/Secure flags, or SPF/DKIM/DMARC
• DoS or service disruption
• Content spoofing without HTML/CSS modification
• Rate limiting/brute-force on non-auth endpoints
• Version disclosure, banner info, stack traces, verbose errors
• Public 0-days patched less than 1 month ago (case-by-case)
• Tabnabbing
• Unlikely user interaction or internally known vulnerabilities
• Best practice/hardening recommendations
• WordPress vulnerabilities
• DLL hijacking (all variants)
• Rate-limit bypass by changing IP or device ID
• URL/domain spoofing in mobile in-app browsers
• Sensitive data exposure on social media
• Internal domain takeovers outside okx.com, okg.com, or oklink.com
• Clients not from official sources
• Proof of Reserves reported as sensitive document leak
• Static binary analysis without PoC affecting business logic
• Lack of obfuscation or jailbreak/root detection
• Certificate pinning bypass on rooted/jailbroken devices
• Missing exploit mitigations (PIE, ARC, Stack Canaries)
• Sensitive data in TLS-protected URLs or request bodies
• Hardcoded/recoverable app secrets without business impact
• Sensitive data in private app directory
• App crashes from malformed URL schemes
• Runtime exploits only in rooted/jailbroken environments
• Leaked shared links via clipboard
• URI leaks from malicious apps
• API key exposure without security impact
• Third-party services (unless explicitly in scope)
• Social engineering, spam, physical attacks
• Services not owned by OKX
• AI-generated reports without human validation

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• Please limit your requests to 5 requests per second.
• Please do not blast the support centre tickets with too many requests.

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial, is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:

• You must be the first vulnerability reporter.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of ours or one of its contractors.
• ONLY USE YOUR HackenProof ACCOUNT (in case of violation, no bounty will be awarded)
• Provide detailed but to-the-point reproduction steps

Reward Bonuses

High-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.

Known issues

Please note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates. We seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.