IN-SCOPE VULNERABILITIES (WEB)

We are interested in the following vulnerabilities:

Critical

• Remote code execution (RCE)
• Business logic issues can direct theft a lot of funds
• False top-up issues
• Leakage of sensitive information with a massive amount(KYC)
• Other security vulnerabilities that we consider to be critical

High

• Business logic issues can lead to user fund loss
• Injection vulnerabilities (SQL, XXE)
• Access Control Issues (IDOR, Privilege Escalation, etc) can
• Leakage of sensitive information with a small amount(KYC)
• Server-Side Request Forgery (SSRF)
• Other security vulnerabilities that we consider to be high

Medium

• Cross-Site Scripting (Stored XSS)
• Leakage of information（Email, Uid...）
• Business logic issues can lead to denial of service
• Other security vulnerabilities that we consider to be medium

Low

• Directory traversal
• Leakage of information（System log, tracking data...）
• Cross-Site Scripting (Reflection XSS)
• Cross-Site Request Forgery (CSRF)
• Broken Links
• Open redirects
• Other security vulnerabilities that we consider to be low

IN-SCOPE VULNERABILITIES (Mobile)

We are interested in the following vulnerabilities:

Critical

• Remote code execution (RCE)
• Fingerprint or Password screen lock authentication bypass
• Mobile issues that can use Jsbridge/javascritptinterface attack users.
• Other security vulnerabilities that we consider to be critical

High

• Injection vulnerabilities (SQL)
• Unsafe webview configuration
• Leakage of sensitive information.
• Privilege escalation vulnerability
• Remote attacks make the app unusable and require reinstallation
• Other security vulnerabilities that we consider to be high

Medium

• Cross-Site Scripting (Reflection XSS)
• Mobile issues that can view any external website through an unsafe deeplink method without any limit.
• Remote attacks make the app unusable and require restart
• Other security vulnerabilities that we consider to be medium

Low

• Phishing attack using webview vulnerability
• Other security vulnerabilities that we consider to be low

N-Day Policy

• When N-Day bugs are released to the public, we will consider them to be in scope after 14 days has passed.
• e.g: N-day released on 06/01/2025, we would consider it in-scope from 06/15/2025

Bonus

Depending on the impact of the vulnerability, we will consider paying additional rewards for vulnerabilities with high risk or above.

• Critical $5,000 - $8,000 (bonus:$1,000-$2000)
• High $1000 - $2,000 (bonus:0-$1,000)

OUT OF SCOPE: WEB VULNERABILITIES

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold: Web

• Vulnerabilities in third-party applications
• Assets that do not belong to the company
• Best practices concerns
• Recently (less than 15 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Reports that generated by scanners or any automated or active exploit tools
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL-related issues;
  • DNS issues (i.e. MX records, SPF records, DMARC records etc.);
  • Server configuration issues (i.e., open ports, TLS, etc.)
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• Manipulation with Password Reset Token
• MitM and local attacks

Mobile App

• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to a user's device
• Vulnerabilities requiring extensive user interaction
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries.
• Path disclosure in the binary
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
• Runtime hacking exploits using tools like but not limited to Frida, Xposed, Appmon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard

Access

• Targets are accessible via the public internet.

Credentials

• Please sign up for an account using your email address, and if you want access all product features , you need to pass Bitunix's KYC certification.

Notice

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps