Bug bounty
Triaged by Hackenproof

Bitexen Web & App: Program info

Bitexen Web & App

Company: Bitexen
This program is active now
Program infoHackers (37)Reports

Welcome to the Bitexen Vulnerability Reporting Program. As one of Turkey's largest crypto exchanges, providing a secure platform to our customers is one of our main priorities. Therefore, we invite everyone to join the Bitexen Vulnerability Reporting Program.

In scope
TargetTypeSeverityReward
www.bitexen.com
copy
Copy
success Copied
Web
Critical
Bounty
global.bitexen.com
copy
Copy
success Copied
Web
Critical
Bounty
com.bitexen.exchange - Android App Bitexen
copy
Copy
success Copied

Android App Bitexen https://play.google.com/store/apps/details?id=com.bitexen.exchange

Android
Critical
Bounty
ID 1388036461 - iOS App Bitexen
copy
Copy
success Copied

iOS App Bitexen https://apps.apple.com/tr/app/bitexen/id1388036461

iOS
None
Bounty
com.bitexenglobal.exchangeapp - Android App Bitexen Global
copy
Copy
success Copied

Android App Bitexen Global https://play.google.com/store/apps/details?id=com.bitexenglobal.exchangeapp

Android
Critical
Bounty
ID 1634643482 - iOS App Bitexen Global
copy
Copy
success Copied

iOS App Bitexen Global https://apps.apple.com/tr/app/bitexen/id1634643482

iOS
Critical
Bounty
Target
www.bitexen.com
copy
Copy
success Copied
TypeWeb
Severity
Critical
RewardBounty
Target
global.bitexen.com
copy
Copy
success Copied
TypeWeb
Severity
Critical
RewardBounty
Target
com.bitexen.exchange - Android App Bitexen
copy
Copy
success Copied

Android App Bitexen https://play.google.com/store/apps/details?id=com.bitexen.exchange

TypeAndroid
Severity
Critical
RewardBounty
Target
ID 1388036461 - iOS App Bitexen
copy
Copy
success Copied

iOS App Bitexen https://apps.apple.com/tr/app/bitexen/id1388036461

TypeiOS
Severity
None
RewardBounty
Target
com.bitexenglobal.exchangeapp - Android App Bitexen Global
copy
Copy
success Copied

Android App Bitexen Global https://play.google.com/store/apps/details?id=com.bitexenglobal.exchangeapp

TypeAndroid
Severity
Critical
RewardBounty
Target
ID 1634643482 - iOS App Bitexen Global
copy
Copy
success Copied

iOS App Bitexen Global https://apps.apple.com/tr/app/bitexen/id1634643482

TypeiOS
Severity
Critical
RewardBounty

Focus Area

IN-SCOPE VULNERABILITIES (WEB, MOBILE)

We are interested in the following vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Injection vulnerabilities (SQL, XXE)
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Directory traversal
  • Other vulnerability with a clear potential loss

Out Of Scope

  • Domains and applications not listed in scope (Critical or high level vulnerabilities may be considered in scope)
  • Vulnerable libraries and versions (Can be considered in scope if there is an impacting PoC or exploitation method)
  • Theoretical, non-PoC-enabled or ineffective attacks
  • Automated tool and scan reports
  • Non-repeatable vulnerabilities
  • Brute force and social engineering attacks
  • DoS attacks (When you find a security vulnerability that may be a DoS cause, forward it without verification)
  • Self XSS
  • Attacks based on the use of weak or leaked passwords
  • CSRF vulnerabilities in input and output functions
  • Security flaws in HTTP headers
  • Cookie flag missing
  • Vulnerabilities on non-critical servers that could lead to information disclosure
  • Attacks that require Bitexen employee account or internal network access
  • Attacks that require MITM or physical access
  • Cache Poisoning vulnerabilities
  • SSL/TLS configuration deficiencies (using TLS 1.1 etc.)
  • E-Mail configuration deficiencies (SPF/DMARC/DKIM records etc.)
  • Open Redirects vulnerabilities that cannot be proven to have an effect (such as cookie theft)
  • Absence of rate limiting (in systems with rate limiting, bypassing the rate limit will be considered within the scope)
  • UX and UI problems
  • Username enumeration vulnerabilities
  • Vulnerabilities that can only be exploited in outdated browsers, operating systems or platforms
  • Vulnerabilities found in third-party applications used
  • Deficiencies in "Best Practice" accepted controls
  • Vulnerabilities on mobile devices that require root, jailbreak or device modification

You can send your questions about systems/vulnerabilities that are not specified as out of scope.

Program Rules

  • The first report for the same vulnerability is accepted.
  • Reports for vulnerabilities already known by Bitexen are not accepted.
  • Do not share the vulnerabilities found on other platforms without Bitexen's permission. Reports that are found to be shared will lose their reward.
  • Reports sent for vulnerabilities specified as out of scope are not accepted.
  • Care should be taken not to damage the systems and the confidentiality of personal data.
  • Other user data should not be accessed or changed, and all tests should be performed with the accounts under your control. You can forward vulnerabilities that may authorize access to user data without verifying or only by verifying them on your own accounts.
  • Social engineering methods (phishing, vishing, smishing, etc.) and physical attacks (computer theft, SIM card copying, etc.) should not be used. DoS attacks should not be attempted.
  • Reports can be submitted in Turkish or English.
  • All details about the vulnerability must be shared and a PoC must be given. You can access the sample report formats at report-templates page.
  • In cases where chain security vulnerabilities are detected by using more than one security vulnerabilities, separate reporting can be made.

Reward Criteria

  • Bitexen employees and their first degree relatives cannot win rewards.
  • You must be at least 14 years old to be eligible for the reward.
  • Detected vulnerabilities should not be shared publicly.
  • There should be no legal obstacles to the giving of the reward

Disclosure Guidelines

Safe Harbor

Bitexen will not take any legal action for researches and reports made in accordance with the rules specified on this page.

In case of sending a report, it is considered that the rights of the submitted content are transferred to Bitexen.

In case the security vulnerabilities in the reports submitted within the scope of the program are related to the products and services, network structures, systems, applications and information of third parties other than Bitexen, the relevant reports are not considered within the scope of the Bitexen Vulnerability Reporting Program and therefore the relevant third parties may initiate legal action in such a reporting situation and We would like to inform you that we, as Bitexen, are not responsible for the situation. Bitexen does not allow security research other than its own products and services and does not provide any person with an authorization in this regard.

You can access the document, which includes detailed rules and legal information about the Bitexen Vulnerability Reporting Program, from the page policy-details.

Happy hunting! ᕕ( ᐛ )ᕗ

Bitexen Vulnerability Reporting Program has been prepared to receive controlled news about security vulnerabilities that may be found in our systems and to encourage researchers. If you think that the security of your Bitexen account has been compromised, change your password as soon as possible and contact our support team via [email protected].

Eligibility and Coordinated Disclosure

Testing and Reporting

You can help us by following the methods below so that we do not confuse the traffic generated during your tests with the attacker traffic.

  • You can use custom HTTP headers. (Example: X-BTXN-VDP: )
  • You can specify your IP address in the report.

Be sure to only use accounts that you control during the testing process. If you have found a vulnerability to run commands on systems, just use the id andhostname commands. Do not use automated tools. If you have found a potentially damaging vulnerability, contact us to obtain additional testing permissions before verifying.

Allowed/not allowed actions for remote code execution vulnerabilities:

  • Allowed * Harmless command attempts on input fields on the web frontend (such as whoami```, hostname, ``ifconfig) * File uploads that run a harmless command as hard-coded * Commands id andhostname for proof of exploited vulnerability
  • Not Allowed * File uploads (webshell etc.) that can lead to free command execution * File deletion, editing, changing permissions * Actions that may affect normal operations (reboot etc.) * Commands and file accesses executed other than those required for proof of vulnerability

The following information should also be provided when reporting remote code execution vulnerabilities:

  • Source IP address, destination IP address and port information
  • Timestamp
  • Requests and responses to the server
  • Files and directories that were accessed intentionally or unintentionally during the test.
Rewards
Range of bounty$50 - $3,000
Severity
Critical
$1,000 - $3,000
High
$250 - $1,000
Medium
$50 - $250
Low
$50
Stats
Scope Review31523
Submissions45
Total rewards$50
Types
Web
apps
Platforms
IOS
Android
Hackers (37) View all
sh3rl0ck h0lm3s
1
2
Partha Bishwas
3
khalid sami
4
abdallah zaher
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time3d
Resolution Time14d