GMGN Web & Mobile: Program info

Program Overview

Safety and security are our top priorities at GMGN. To eliminate system vulnerabilities and further improve GMGN services, GMGN has launched a vulnerability bounty program for all security researchers. We will evaluate all reported security issues based on their impact on users and assets, and rewards will be paid in USDT once your submission is accepted. Please be advised that only reports with a detailed description of the vulnerability and a complete, working proof of concept are eligible for rewards.

Level of Severity and Reward Range

Extreme: Up to 1,000,000 USDT

Vulnerabilities that threaten core or essential assets, potentially leading to major business disruptions or unauthorized access to GMGN wallets, funds, or private keys.

Estimated as 10% from potential losses but not more than 1mln.

• Critical: 3,000 - 10,000 USDT

• Vulnerabilities that undermine user assets’ security.

• Vulnerabilities that bypass the applications or procedures under normal trading logic.

• Vulnerabilities that could remotely access essential information and authentication information of users.

• Vulnerabilities related to key generation, encryption, decryption, signing, and verification.

• High: 1,000 - 3,000 USDT

• Vulnerabilities that lead to high-risk information leakage.

• Vulnerabilities with a similar impact as critical vulnerabilities but are dependent on specific prerequisites.

• Medium: 300 -1,000 USDT

• Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud.

• Vulnerabilities that cause GMGN to be unable to respond to users’ requests from the web or mobile Apps.

• Low: 50 - 300 USDT

• Vulnerabilities due to product design defects that do not affect the security of users’ assets.

• Vulnerabilities that lead to Denial of Service of core GMGN services.

Reports NOT Qualified for the Rewards

The following issues are not qualified for any reward:

• Theoretical vulnerabilities without an actual proof of concept
• Email verification defects, expiration of password reset links, and password complexity policies
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Email or mobile enumeration (e.g., the ability to identify emails through password resetting)
• Information leakage with minimal security impact (e.g., stack traces, path disclosure, directory listings, logs)
• Internally known issues, recurring issues, or issues already published
• Tabnabbing
• Self-XSS
• Vulnerabilities only applicable to outdated versions of browsers or platforms
• Vulnerabilities related to auto-fill web forms
• Use of vulnerable libraries already known without an actual proof of concept
• Lack of security flags in cookies
• Issues related to unsafe SSL/TLS cipher suites or protocol versions
• Content spoofing
• Issues related to cache control
• Vulnerabilities exposing internal IP addresses or domains
• Lack of security headers that do not lead to direct exploitation
• CSRF with negligible security impact (e.g., adding to favorites, subscribing to non-vital features)
• Vulnerabilities that require root/jailbreak
• Vulnerabilities that require physical access to the user’s device
• Issues with no security impact (e.g., failure to load a web page)

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
• Make every effort not to damage or restrict the availability of products, services, or infrastructure.
• Avoid compromising any personal data, interruption, or degradation of any service.
• Don’t access or modify other user data, localize all tests to your accounts.
• Perform testing only within the scope.
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
• Don’t spam forms or account creation flows using automated scanners.
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope.
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
• Security researchers conducting or facilitating malicious attacks on GMGN will not be qualified for any reward.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability.
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded).
• Provide detailed but to-the point reproduction steps.