OKX: Program info

Vulnerability Tiers and Rewards

Extreme: $30,000 - $1,000,000 Critical: $5,000 - $30,000 High: $2,000 - $5,000 Medium: $600 - $2,000 Low: $50 - $600

Our rewards are based on OKG's internal alternative matrix, and reward decisions are up to the discretion of OKG.

Vulnerability Severity Classification

Extreme

• Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD
• Or allow unauthorized access to the following content:
  • Any OKX account funds
  • Any funds or private keys in OKX Web3 wallet
  • Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company

Critical

• Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD
• Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism
• Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts
• Manipulation of multiple machines on the blockchain validator or intranet
• Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information
• Vulnerabilities caused by system command execution

High

• Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD
• Vulnerabilities that compromise blockchain validators and their performance
• SQL injection
• Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)
• Unauthorized operation of funds, bypassing payment logic (successfully executed)
• Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business
• Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages
• Substantial leakage of source codes
• Unauthorized access to interfaces or services containing sensitive data from users

Medium

• Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses
• Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations
• Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval
• Local storage sensitive encrypted data leakage (effective utilization)
• Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors
• Subdomain takeover
• Clear text password, clear text AK/SK hardcoding in code file or configuration file
• Unauthorized access to interfaces or services that do not contain sensitive user data

Low

• Vulnerabilities that may affect the stability or availability of OKC-related nodes
• Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues
• General information leakage, including but not limited to web path traversal, system path traversal, directory browsing
• Reflected XSS (including DOM XSS/Flash XSS)
• Common CSRF
• Open redirection vulnerabilities
• Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)
• HTTP Header Manipulation Vulnerability

Other classifications

IDOR Vulnerabilities

• Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced

Broken link reports

• Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly
• Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope
• Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope
• Third party broken links found on articles or social media channels will be considered out of scope
• All other broken links not mentioned will be considered out of scope

Additional notes

• In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.
• Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.

OUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES

• Reports from automated tools or scans
• False positive SQL Injection
  • To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database/current user name
• Spam vulnerability, mail spoofing, mail bomb, etc.
• Self-XSS
• Use of known-vulnerable library or component
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
• Software version disclosure/Banner identification issues/Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
• Tabnabbing
• Issues that require unlikely user interaction
• Vulnerabilities that are already known (e.g. discovered by an internal team)
• Best practice reports are not eligible for bounties but are appreciated.
• Wordpress related vulnerability
• DLL hijacking reports
• Reports that bypass rate limiting through changing of IP addresses/Device IDs
• Address bar/URL/domain spoofing in dApp browser
• Sensitive data exposure on social media accounts
• Internal domain takeovers that are not okx.com
• Reports with desktop client versions not downloaded from our official sites listed in our scope

OUT OF SCOPE – MOBILE VULNERABILITIES

• Attacks requiring physical access to a user's device
• Vulnerabilities that require root/jailbreak
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device
• Reports from static analysis of the binary without PoC that impacts business logic
• Lack of obfuscation/binary protection/root (jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in binary
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Sensitive information retained as plaintext in the device’s memory
• Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver
• Any kind of sensitive data stored in-app private directory
• Runtime hacking exploits using tools like but not limited to Frida/Appmon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened.
• Exposure of API keys with no security impact (Google Maps API keys etc.)
• Reports that bypass rate limiting through changing of IP addresses/Device IDs
• Address bar/URL/domain spoofing in dApp browser
• Reports with mobile versions not downloaded from official sites listed in our scope

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
• Please limit your requests to 5 requests per second.
• Please do not blast the support centre tickets with too many requests.

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial, is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:

• You must be the first vulnerability reporter.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of ours or one of its contractors.
• ONLY USE YOUR HackenProof ACCOUNT (in case of violation, no bounty will be awarded)
• Provide detailed but to-the-point reproduction steps

Reward List

• High-quality reports may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.

Known Issues

• Please note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates. We seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.