Bug bounty

BingX Exchange: Program info

BingX Exchange

Company: BingX
This program is active now
Program info

Founded in 2018, BingX.com is a crypto social trading exchange that offers spot, derivatives and copy trading services to more than 100 countries worldwide. BingX prides itself as the people's exchange by unlocking the fast-growing cryptocurrency market for everyone, connecting users with experts traders and a platform to invest in a simple, engaging and transparent way.

In scope
TargetTypeSeverityReward
*.bingx.com
Web
Critical
Bounty
*.bingx.pro
Web
Critical
Bounty
https://play.google.com/store/apps/details?id=pro.bingbon.app
Android
Critical
Bounty
https://apps.apple.com/us/app/bingbon-global/id1500217666?ls=1
iOS
Critical
Bounty
https://bingx-api.github.io/docs/swap/introduce.html
API
Critical
Bounty
Target
*.bingx.com
TypeWeb
Severity
Critical
RewardBounty
Target
*.bingx.pro
TypeWeb
Severity
Critical
RewardBounty
Target
https://play.google.com/store/apps/details?id=pro.bingbon.app
TypeAndroid
Severity
Critical
RewardBounty
Target
https://apps.apple.com/us/app/bingbon-global/id1500217666?ls=1
TypeiOS
Severity
Critical
RewardBounty
Target
https://bingx-api.github.io/docs/swap/introduce.html
TypeAPI
Severity
Critical
RewardBounty
Out of scope
TargetTypeSeverityReward
support.bingx.pro
Web
None
Bounty
support.bingx.com
Web
None
Bounty
blog.bingx.com
Web
None
Bounty
uat.bingx.com
Web
None
Bounty
pre.bingx.com
Web
None
Bounty
qa.bingx.com
Web
None
Bounty
blog.bingx.com
Web
None
Bounty
https://bingx.com/en-us/community/
Web
None
Bounty
https://bingx.com/zh-tw/official-verification
Web
None
Bounty
Target
support.bingx.pro
TypeWeb
Severity
None
RewardBounty
Target
support.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
blog.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
uat.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
pre.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
qa.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
blog.bingx.com
TypeWeb
Severity
None
RewardBounty
Target
https://bingx.com/en-us/community/
TypeWeb
Severity
None
RewardBounty
Target
https://bingx.com/zh-tw/official-verification
TypeWeb
Severity
None
RewardBounty

Focus Area

Critical vulnerability

  • Serious vulnerabilities refer to those that occur in the core system business system (core control system, domain control, business distribution system, bastion machine and other management and control systems that can manage a large number of systems) and can cause a large-scale impact. Limited) business system control authority
  • Serious vulnerabilities that can obtain the authority of the core system administrator and can control the core system.
  • Vulnerabilities that include but not limited to:
  • Intranet multiple machine control
  • The core background super administrator rights are obtained and cause a large-scale enterprise core data leakage, which can have a huge impact
  • Smart contract overflow, conditional race vulnerability

High-risk vulnerability

  • System access (getshell, command execution, etc.)
  • SQL injection of the system (background vulnerabilities are downgraded, packaged submissions are upgraded as appropriate) Unauthorized access to sensitive information. Including but not limited to bypassing authentication to directly access the management background, important background weak passwords, SSRF that obtains a large amount of sensitive information on the intranet, etc.)
  • Read any file
  • XXE Vulnerability to Obtain Arbitrary Information
  • Unauthorized operations involving money, bypassing payment logic (requires final use)
  • Serious logical design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
  • Other vulnerabilities affecting users on a large scale. Including but not limited to stored XSS that can be automatically propagated by important pages, stored XSS that can obtain administrator authentication information and successfully exploited, etc.
  • Lots of source code leaks
  • Smart Contract Permission Control Defects

Moderate vulnerability

  • Vulnerabilities that require interaction to affect users. Including but not limited to stored XSS of general pages, CSRF involving core business, etc.
  • Ordinary unauthorized operation. Including but not limited to bypassing restrictions, modifying user information, performing user operations, etc.
  • Denial of service vulnerability. Including but not limited to remote denial of service vulnerabilities that cause denial of service of website applications, etc.
  • Vulnerabilities that can be caused by the successful blasting of sensitive system operations such as arbitrary account login and arbitrary password retrieval due to verification code logic
  • The locally stored sensitive authentication key information is leaked, and it needs to be effectively used.

Low severity vulnerability

  • Local Denial of Service Vulnerability. Including but not limited to client-side local denial of service (parsing file formats, crashes caused by network protocols), exposure of Android component permissions, problems caused by common application permissions, etc.
  • General information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
  • Reflected XSS (including DOM XSS / Flash XSS)
  • Normal CSRF
  • No Rate Limitation. (Each system only accepts one vulnerability of this type)
  • URL redirection vulnerability
  • SMS bomb, mail bomb (Each system only accepts one vulnerability of this type)
  • Other vulnerabilities that are less harmful and cannot prove harmful (such as CORS vulnerabilities that cannot obtain sensitive information)
  • No echo and no successful SSRF exploit

OUT-OF-SCOPE VULNERABILITIES

  • Email Forgery Vulnerability / DMARC misconfigured
  • Broken social media channel(https://bingx.com/en-us/community/)
  • Bugs of Official Verification(https://bingx.com/zh-tw/official-verification)
  • Wordpress website(https://blog.bingx.com https://qa.bingx.com ...)
  • Some functional bugs cannot cause security risks

Program Rules

  • It is forbidden to conduct social work and fishing for personnel;
  • Vulnerabilities prohibit external dissemination;
  • Test loopholes are limited to proving tests, and destructive tests are strictly prohibited. If harm is caused unintentionally, it should be reported in time. At the same time, sensitive operations performed during the test, such as deletion, modification, etc., should be explained in the report;
  • The use of scanners for large-scale scanning is prohibited, and the unavailability of business systems or networks will be dealt with in accordance with relevant laws;
  • For testing vulnerabilities, try to avoid directly modifying the page, repeating the pop-up box (xss verification is recommended to use log), stealing cookies, obtaining other user information and other aggressive payloads (if you are testing touch typing, please use dnslog);
  • Be careful to use a highly aggressive payload, please delete it in time, otherwise we have the right to pursue relevant legal responsibilities.

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps
Rewards
Range of bounty$50 - $4,000
Severity
Critical
$2,500 - $4,000
High
$1,000 - $2,000
Medium
$300 - $1,000
Low
$50 - $200
Stats
Total rewards$12,250
Bugs found338
Categories
CEXPlatform
Types
webmobileAPI
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response10d
Triage Time7d
Reward Time15d
Resolution Time45d