Bug bounty

Gate.io Exchange: Program info

Gate.io Exchange

Company: Gate.io
This program is active now
Program infoHackers (184)

Gate.io is one of the oldest cryptocurrency exchanges from China operating since 2013.

In scope
TargetTypeSeverityReward
gate.io

https://www.gate.io/

Web
Critical
Bounty
iOS App

https://apps.apple.com/us/app/gate-io/id1294998195 Or https://testflight.apple.com/join/tBYCVJgJ

Web
Critical
Bounty
Android App

https://play.google.com/store/apps/details?id=com.gateio.gateio

Android
Critical
Bounty
Windows App

https://gapp.b.live/Gateio_Setup-winapp

Web
Critical
Bounty
Mac App

https://gapp.b.live/Gate.io-macapp

Web
Critical
Bounty
API & Websocket

https://api.gateio.ws/api/v4 wss://api.gateio.ws/ws/v4/

Web
Critical
Bounty
Malta Site

https://gate.mt/

Web
Critical
Bounty
Target
gate.io

https://www.gate.io/

TypeWeb
Severity
Critical
RewardBounty
Target
iOS App

https://apps.apple.com/us/app/gate-io/id1294998195 Or https://testflight.apple.com/join/tBYCVJgJ

TypeWeb
Severity
Critical
RewardBounty
Target
Android App

https://play.google.com/store/apps/details?id=com.gateio.gateio

TypeAndroid
Severity
Critical
RewardBounty
Target
Windows App

https://gapp.b.live/Gateio_Setup-winapp

TypeWeb
Severity
Critical
RewardBounty
Target
Mac App

https://gapp.b.live/Gate.io-macapp

TypeWeb
Severity
Critical
RewardBounty
Target
API & Websocket

https://api.gateio.ws/api/v4 wss://api.gateio.ws/ws/v4/

TypeWeb
Severity
Critical
RewardBounty
Target
Malta Site

https://gate.mt/

TypeWeb
Severity
Critical
RewardBounty

Focus Area

In-Scope Vulnerabilities

We are mostly interested in the following vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • XML External Entity Attacks (XXE)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

Out-of-Scope Vulnerabilities

OUT OF SCOPE - WEB

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

  • Vulnerabilities in third-party applications
  • Vulnerabilities requiring any third-party apps (including malware) to be installed in the victim's device
  • Best practices concerns
  • Other browser sessions not logging out immediately upon a change in password/ setup of 2FA
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues without clear impact
  • Denial of service
  • Theoretical issues
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • CSRF vulnerabilities
  • Weak Captcha/Captcha Bypass
  • Lack of Secure and HTTPOnly cookie flags
  • Username/email enumeration via Login/Forgot Password Page error messages
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Mixed HTTP Content
  • HTTPS Mixed Content Scripts
  • DoS/DDoS issues
  • Broken Link Hijacking

OUT OF SCOPE - MOBILE

  • Attacks requiring physical access to a user's device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Reports from static analysis of the binary without PoC that impacts business logic
  • Lack of obfuscation/binary protection/root(jailbreak) detection
  • Bypass certificate pinning on rooted devices
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • OAuth & app secret hard-coded/recoverable in IPA, APK
  • Sensitive information retained as plaintext in the device’s memory
  • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in-app private directory
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
  • Shared links leaked through the system clipboard
  • Any URIs leaked because a malicious app has permission to view URIs opened.
  • Exposure of API keys with no security impact (Google Maps API keys etc.)
  • Everything included in the OUT OF SCOPE - WEB section

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Rewards

  • Critical 3000 - 5000 USD e.g : direct accesses to system privilege or core business, with potential significant damage.

  • High 900 - 2000 USD e.g: unauthorized access, severe SQL injection, high-risky info leakage.

  • Medium 300 - 500 USD e.g: affecting the use and access of a portion of our users, modifying user information, etc

  • Low 50 - 150 USD e.g: text message bomb, non-sensitive information leakage,etc

Note: Severity depends on threats to the business and is evaluated individually by Gate.io Team

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
Rewards
Range of bounty$50 - $5,000
Severity
Critical
$3,000 - $5,000
High
$900 - $2,000
Medium
$300 - $500
Low
$50 - $150
Stats
Total rewards$18,200
Submissions350
Types
Webapps
Platforms
WinMacIOSAndroid
Project types
CEX
Hackers (184) View all
0xj3st3r
1
Noddy N12
2
Sergey Romanovich
4
Nitish Singh
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response10d
Triage Time3d
Reward Time3d
Resolution Time30d