LCX: Program info

In-Scope Vulnerabilities

We are interested in the following vulnerabilities:

• Business logic issues
• Remote code execution (RCE)
• Payments manipulation or significant manipulation of account balance
• Authentication and authorisation bypass (full or partial)
• Access control issues (IDOR, privilege escalation)
• Injection vulnerabilities (SQL, XXE, command injection)
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS) affecting sensitive actions (deposits, withdrawals, trading, API key management) with clear PoC — excluding Self-XSS
• Cross-Site Request Forgery (CSRF) on authenticated sensitive endpoints — excluding login/logout CSRF
• Theft of privileged information (KYC data, passwords, API keys, private keys)
• Leakage of sensitive information
• File inclusions (Local & Remote)
• Directory traversal
• WebSocket security issues affecting trading, account state, or authentication
• Mobile: insecure storage of sensitive data (credentials, tokens, keys), authentication bypass, insecure API communication
• Smart contracts: reentrancy, access control bypass, integer overflow/underflow, flash loan attacks, logic errors resulting in fund loss
• Other vulnerability with clear potential for financial or data loss

Out-of-Scope Vulnerabilities

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications

• Assets that do not belong to the company

• Best practices concerns

• Recently (less than 30 days) disclosed 0day vulnerabilities

• Vulnerabilities affecting users of outdated browsers or platforms

• Social engineering, phishing, physical, or other fraud activities

• Publicly accessible login panels without proof of exploitation

• Reports that state that software is out of date/vulnerable without a proof of concept

• Reports that generated by scanners or any automated or active exploit tools

• Vulnerabilities involving active content such as web browser add-ons

• Most brute-forcing issues without clear impact

• Denial of service (DoS/DDoS)

• Theoretical issues

• Moderately Sensitive Information Disclosure

• Spam (sms, email, etc)

• Missing HTTP security headers

• Infrastructure vulnerabilities, including:

  1. Certificates/TLS/SSL-related issues;
  2. DNS issues (i.e. MX records, SPF records, DMARC records etc.);
  3. Server configuration issues (i.e., open ports, TLS, etc.)

• Open redirects

• Session fixation

• User account enumeration

• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking

• Descriptive error messages (e.g. Stack Traces, application or server errors)

• Self-XSS that cannot be used to exploit other users

• Login & Logout CSRF

• Weak Captcha/Captcha Bypass

• Lack of Secure and HTTPOnly cookie flags

• Username/email enumeration via Login/Forgot Password Page error messages

• CSRF in forms that are available to anonymous users (e.g. the contact form)

• OPTIONS/TRACE HTTP method enabled

• Host header issues without proof-of-concept demonstrating the vulnerability

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Content Spoofing without embedded links/HTML

• Reflected File Download (RFD)

• Mixed HTTP Content

• HTTPS Mixed Content Scripts

• Manipulation with Password Reset Token

• MitM and local attacks

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• For vulnerabilities affecting trade execution, withdrawals, or wallet operations — contact [email protected] before running a production proof of concept. Staging environment access will be arranged.
• Do not publicly disclose findings until LCX has confirmed a fix or 90 days have elapsed from your submission date, whichever comes first.
• LCX AG will not pursue legal action against researchers acting in good faith, within these rules, and without causing harm to LCX systems or users.