NonKyc.io: Program info

NonKYC is a privacy-focused cryptocurrency exchange providing a fast and secure trading experience with no KYC requirements.

Our platform includes:

• Web interface
• Mobile application (Android)
• WebSocket API
• REST API

We invite ethical hackers to help us identify potential vulnerabilities and ensure the security of our infrastructure and our users’ funds.

This program covers all actively deployed production environments unless explicitly stated otherwise in the "Out of Scope" section.

IN SCOPE VULNERABILITIES: WEB VULNERABILITIES

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerabilities with a clear potential loss

OUT OF SCOPE: WEB VULNERABILITIES

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications
• Assets that do not belong to the company
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Reports generated by scanners or any automated or active exploit tools
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service (DoS/DDoS)
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
• Certificates/TLS/SSL-related issues;
• DNS issues (i.e. MX records, SPF records, DMARC records etc.);
• Server configuration issues (i.e., open ports, TLS, etc.)
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating clear security impact
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• Manipulation with Password Reset Token
• MitM and local attacks
• Response manipulations without demonstration of system state change

IN SCOPE VULNERABILITIES (WSS Protocol)

We are interested in the following vulnerabilities related to our WebSocket protocol:

• Unauthorized subscription to private channels
• Injection attacks in WebSocket messages
• Manipulation of real-time market data (price spoofing, fake volume, etc.)
• Race conditions or desynchronization of client state
• Leakage of sensitive data over WebSocket
• Authentication/authorization bypass through WebSocket
• Message tampering or replay attacks with valid tokens

OUT OF SCOPE VULNERABILITIES (WSS Protocol)

• Disconnection due to rate limits or idle timeout
• Lack of encryption (already handled via TLS/WSS)
• Missing ping/pong or keepalive messages
• Theoretical latency or delay-related issues
• Public data feed enumeration without sensitive impact
• Replay attacks without authentication token compromise
• Behavior that doesn't result in any actionable impact or loss

IN SCOPE VULNERABILITIES (Android .apk)

We are interested in the following vulnerabilities within our Android mobile application:

• Insecure local storage of sensitive data (e.g. keys, tokens)
• Insecure communication with backend services
• Hardcoded secrets, API keys, or credentials in the APK
• Authentication or session management flaws
• Code tampering or reverse engineering that leads to business logic abuse
• Abuse of app components (e.g. unprotected Activities, Services, Broadcasts)
• Unauthorized actions via IPC (intent spoofing)
• App allowing trading/withdrawals without proper verification

OUT OF SCOPE VULNERABILITIES (Android .apk)

• Debug logs or stack traces with no sensitive data
• Issues only present on rooted devices or emulators
• Lack of obfuscation or code minification
• Best practices issues without real security impact
• Usage of third-party libraries with no exploitable vector in this app
• Crashes without proven impact on confidentiality, integrity, or availability
• Low-impact UI/UX flaws that don’t lead to abuse or data exposure
• Presence of hardcoded API or Google keys that do not grant access to sensitive resources or cannot be exploited in practice

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the defined scope
• Do not exploit or simulate DoS/DDoS attacks, social engineering, phishing, or spam
• Don’t spam forms or account creation flows using automated scanners
• If multiple vulnerabilities stem from the same root cause, only the most severe will be eligible for reward
• Don’t break any law and stay in the defined scope
• Do not break any laws and remain compliant with local and international regulations
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• Reports must include a clear and reproducible Proof of Concept (PoC) or step-by-step reproduction — vague or theoretical reports may be marked as informative and not rewarded
• Any attempt to demand a reward through threats, coercion, blackmail, or circumventing the responsible disclosure process will result in disqualification and possible legal consequences

• Do not discuss or share any part of this program, including vulnerabilities (even resolved ones), outside the HackenProof platform without our explicit written permission.
• No public vulnerability disclosure is allowed at this time — this includes partial disclosures, PoC sharing, screenshots, or indirect hints.
• Publishing, discussing, or leaking any report, regardless of severity or reward status, will result in immediate disqualification from the program and may lead to legal consequences.
• You may not use discovered vulnerabilities for any purpose other than reporting through HackenProof.
• Responsible disclosure is only permitted after receiving explicit approval in writing from our security team.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see Scope section).
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps
• You must not attempt to test or exploit vulnerabilities on assets that are marked as out-of-scope.
• Multiple reports caused by the same root vulnerability may be treated as a single issue.
• Any attempt to demand a reward through threats, coercion, or bypassing the responsible disclosure process will result in disqualification from the program and possible legal action.