IN-SCOPE VULNERABILITIES (WEB)
We are interested in the following vulnerabilities:
Critical
- Remote code execution (RCE)
- Business logic issues can direct theft a lot of funds
- False top-up issues
- Leakage of sensitive information with a massive amount(KYC)
- Other security vulnerabilities that we consider to be critical
High
- Business logic issues can lead to user fund loss
- Injection vulnerabilities (SQL, XXE)
- Access Control Issues (IDOR, Privilege Escalation, etc) can
- Leakage of sensitive information with a small amount(KYC)
- Server-Side Request Forgery (SSRF)
- Other security vulnerabilities that we consider to be high
Medium
- Cross-Site Scripting (Stored XSS)
- Leakage of information(Email, Uid...)
- Business logic issues can lead to denial of service
- Other security vulnerabilities that we consider to be medium
Low
- Directory traversal
- Leakage of information(System log, tracking data...)
- Cross-Site Scripting (Reflection XSS)
- Cross-Site Request Forgery (CSRF)
- Broken Links
- Open redirects
- Other security vulnerabilities that we consider to be low
IN-SCOPE VULNERABILITIES (Mobile)
We are interested in the following vulnerabilities:
Critical
- Remote code execution (RCE)
- Fingerprint or Password screen lock authentication bypass
- Mobile issues that can use Jsbridge/javascritptinterface attack users.
- Other security vulnerabilities that we consider to be critical
High
- Injection vulnerabilities (SQL)
- Unsafe webview configuration
- Leakage of sensitive information.
- Privilege escalation vulnerability
- Remote attacks make the app unusable and require reinstallation
- Other security vulnerabilities that we consider to be high
Medium
- Cross-Site Scripting (Reflection XSS)
- Mobile issues that can view any external website through an unsafe deeplink method without any limit.
- Remote attacks make the app unusable and require restart
- Other security vulnerabilities that we consider to be medium
Low
- Phishing attack using webview vulnerability
- Other security vulnerabilities that we consider to be low
N-Day Policy
- When N-Day bugs are released to the public, we will consider them to be in scope after 14 days has passed.
- e.g: N-day released on 06/01/2025, we would consider it in-scope from 06/15/2025
Bonus
Depending on the impact of the vulnerability, we will consider paying additional rewards for vulnerabilities with high risk or above.
- Critical $5,000 - $8,000 (bonus:$1,000-$2000)
- High $1000 - $2,000 (bonus:0-$1,000)
OUT OF SCOPE: WEB VULNERABILITIES
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
Web
- Vulnerabilities in third-party applications
- Assets that do not belong to the company
- Best practices concerns
- Recently (less than 15 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Publicly accessible login panels without proof of exploitation
- Reports that state that software is out of date/vulnerable without a proof of concept
- Reports that generated by scanners or any automated or active exploit tools
- Vulnerabilities involving active content such as web browser add-ons
- Most brute-forcing issues without clear impact
- Theoretical issues
- Moderately Sensitive Information Disclosure
- Spam (sms, email, etc)
- Missing HTTP security headers
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL-related issues;
- DNS issues (i.e. MX records, SPF records, DMARC records etc.);
- Server configuration issues (i.e., open ports, TLS, etc.)
- Session fixation
- User account enumeration
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Self-XSS that cannot be used to exploit other users
- Login & Logout CSRF
- Weak Captcha/Captcha Bypass
- Lack of Secure and HTTPOnly cookie flags
- Username/email enumeration via Login/Forgot Password Page error messages
- CSRF in forms that are available to anonymous users (e.g. the contact form)
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Content Spoofing without embedded links/HTML
- Reflected File Download (RFD)
- Mixed HTTP Content
- HTTPS Mixed Content Scripts
- Manipulation with Password Reset Token
- MitM and local attacks
Mobile App
- Vulnerabilities that require root/jailbreak
- Vulnerabilities that require physical access to a user's device
- Vulnerabilities requiring extensive user interaction
- Lack of obfuscation/binary protection/root(jailbreak) detection
- Bypass certificate pinning on rooted devices
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries.
- Path disclosure in the binary
- OAuth & app secret hard-coded/recoverable in IPA, APK
- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
- Runtime hacking exploits using tools like but not limited to Frida, Xposed, Appmon (exploits only possible in a jailbroken environment)
- Shared links leaked through the system clipboard