Phemex Web & Mobile: Program info

Web Vulnerabilities

• Reports automatically generated by scanners or template-based outputs.
• Reports without a valid Proof of Concept (PoC) or lacking demonstrable exploitability.
• Reports consisting only of third-party library fingerprints, version disclosures, or generic CVE references.
• Theoretical or non-exploitable issues (e.g., self-XSS, CSV injection, clickjacking without sensitive action).
• Issues limited to configuration or best practice recommendations, such as:
• Missing or misconfigured CSP, HSTS, X-Frame-Options, or security headers.
• Missing HttpOnly/Secure cookie flags.
• SPF/DKIM/DMARC or DNS misconfigurations.
• TLS/SSL configuration optimization or weak cipher suite recommendations.
• Mixed content warnings (HTTP/HTTPS).
• OPTIONS or TRACE HTTP methods enabled without security impact.
• CSRF or JSONP hijacking that does not involve sensitive operations.
• Open redirect, user enumeration, or content spoofing with no tangible impact.
• Host header injection without exploitability.
• Weak CAPTCHA or CAPTCHA bypass without abuse potential.
• Reflected file download (RFD) without executable payload.
• Information disclosures such as error messages, stack traces, or version banners.
• Issues requiring unrealistic user interaction, outdated browsers, or non-standard clients.
• Vulnerabilities requiring man-in-the-middle (MitM) attacks or physical access.
• Denial-of-Service (DoS/DDoS), brute-force, or rate-limit bypass achieved solely by changing IP/device ID.
• Social engineering, phishing, or physical attacks.
• Spam, email flooding, or abuse of third-party services.
• Attacks on third-party platforms (WordPress, analytics, payment gateways, etc.).
• Publicly disclosed 0-day vulnerabilities within the past 30 days (case-by-case evaluation).
• Vulnerabilities are already known to and under remediation by Phemex.
• Issues reported on non-Phemex domains, IPs, or infrastructure.
• Reports affecting staging, testing, or demo environments are not listed as in-scope.

Mobile Vulnerabilities

• Attacks requiring root/jailbreak privileges or physical access to the device.
• Issues affecting only debug, test, or jailbroken environments.
• Vulnerabilities require excessive user interaction or unrealistic conditions.
• Missing code obfuscation, symbol information, binary protection, or root detection.
• Absence of exploit mitigations such as PIE, ARC, or Stack Canary.
• Sensitive data transmitted within TLS-protected requests or URLs.
• Local information disclosure or app crashes that cannot be exploited by third parties.
• Non-sensitive data exposure (e.g., binary paths, hardcoded OAuth keys, or application tokens).
• Sensitive data stored in plaintext within memory or the app’s private directory (without external access).
• Vulnerabilities found in unofficial app distributions or outdated versions.
• Issues caused by third-party SDKs or libraries not maintained by Phemex.
• Rate-limit bypass achieved solely by changing IP address or device ID.
• Address bar or domain spoofing in embedded browsers (without exploitability).
• Vulnerabilities are already known to and under remediation by Phemex.

Additional Notes

1. Apart from explicitly defined vulnerabilities, Phemex also welcomes reports concerning broken links, potential DoS vulnerabilities, or credential leaks. Such reports will be evaluated on a case-by-case basis to determine eligibility for rewards.

• Broken links that cannot be exploited or do not pose a real security risk may be excluded.
• Reward amounts will be adjusted according to the specific case.

1. For the same subdomain, if multiple URLs contain identical types of vulnerabilities, only the first three valid reports will be accepted.

The following rules apply to all security researchers participating in the Phemex Bug Bounty Program. Please read carefully before testing and strictly adhere to these requirements. Violation of any clause below may result in termination of testing privileges and potential legal liability.

Testing Scope and Authorization

• Testing activities must remain strictly within the officially authorized scope.
• Testing of unauthorized domains, systems, APIs, or third-party resources is prohibited.
• Testing is limited to the researcher’s own account and related assets.
• Accessing, modifying, deleting, or manipulating other users’ data is not allowed.
• When verifying exploitability, researchers may collect only minimal sample data sufficient to demonstrate the issue.
• Bulk data extraction, database dumping, or large-scale enumeration of sensitive data is strictly prohibited.
• If any abnormal business behavior or signs of compromise are detected during testing, researchers must immediately report the incident to the HackenProof team or Phemex Security Team.
• Additional rewards may be granted depending on the situation.

Prohibited Activities

To protect the platform, users, and infrastructure, the following activities are strictly forbidden:

1. Network and System-Level Attacks

• No DoS/DDoS attacks, denial-of-service attempts, or any form of traffic stress testing;
• No ARP spoofing, DHCP spoofing, DNS hijacking, or other network-layer attacks;
• No internal network port scanning, large-scale scanning, or probing activities.

1. Malicious Code and Intrusion Attempts

• Uploading or implanting webshells, remote control malware, viruses, or backdoors is prohibited;
• No use of self-replicating or infectious malware;
• No persistence mechanisms, scheduled tasks, or multi-daemon backdoors;
• If a backdoor file is uploaded during testing, researchers must provide its path and assist in its removal.

1. Data and Privilege Manipulation

• No modification or destruction of business data or data integrity;
• No large-scale data scraping, enumeration, or database dumping;
• No brute-force attacks or memory overflow exploits;
• No website defacement or publication of inappropriate content through official channels.

1. Automation and Abuse

• Automated tools for mass scanning, registration, or submission causing excessive traffic are prohibited;
• Request frequency is limited to a maximum of 5 requests per second.

1. Social and Legal Risks

• No social engineering, phishing, or spam attacks;
• No violation of any applicable laws or regulations;
• No sharing, selling, or leaking of vulnerability information through unauthorized channels.

Vulnerability Disclosure and Communication

• All vulnerability details must be shared only with the HackenProof team or authorized Phemex Security personnel.
• Public disclosure, discussion, or distribution of vulnerability details without authorization is prohibited.
• For chained vulnerabilities, rewards will be based on the highest severity issue within the chain.
• Disclosure of technical details is permitted only after official confirmation and remediation, in accordance with responsible disclosure principles.

Rewards and Responsibility

• Researchers conducting compliant testing and responsible disclosure will receive appropriate rewards.
• Testing activities must not impact or harm other users or their assets.
• Phemex reserves the right to pursue legal action for any activity that violates this policy or causes system damage or data leakage.
• All testing must adhere to ethical guidelines and responsible disclosure principles.

This program is private. Without explicit company authorization, participants are prohibited from discussing this program or any discovered vulnerabilities externally. No form of public vulnerability disclosure (including partial disclosure) is allowed. Do not publish or discuss any vulnerabilities found through this program.

Phemex appreciates all valid vulnerability submissions. However, only researchers meeting the following conditions are eligible for rewards:

• The report is the first valid submission of the vulnerability;
• The vulnerability falls within the reward scope;
• The report is submitted exclusively via hackenproof.com within 24 hours of discovery;
• The report includes a clear description, reproducible steps, and necessary screenshots or PoC;
• The reporter is not a current or former Phemex employee or contractor;
• The submission must be made using the researcher’s own HackenProof account (violations will result in disqualification);
• Reports must include detailed yet concise reproduction steps.

High-quality reports may receive additional bonus rewards. A high-quality report should include:

• A working Proof of Concept (PoC);
• Root cause analysis;
• Remediation recommendations;
• Relevant technical details supporting the finding.

The Phemex Security Team continuously performs internal vulnerability assessments across all assets. If a reported issue has already been identified internally, it will be marked as a duplicate and closed. Please respect the final determination and refrain from repeated appeals or negotiations.