Bug Bounty Program

We are pleased to announce our Bug Bounty Program and encourage everyone to participate by submitting vulnerabilities.

You can send your vulnerability information to [email protected], and our team will swiftly review and verify the reported issues. We value your contribution to our platform's security and will be in contact with you promptly.


Web Bug Bounty

Scope

  • *.safex.trading

Bounty Rewards

Severity Level

Bounty

Low-risk

50 to 100 USDT

Medium-risk

100 to 500 USDT

High-risk

500 to 1000 USDT

Critical

1000 to 5000 USDT


Web Vulnerability Definitions

Critical Vulnerabilities

Critical vulnerabilities refer to vulnerabilities in core business systems (e.g., core control systems, domain controllers, business distribution systems, and bastion hosts) that manage a large number of systems. These vulnerabilities can have a wide-ranging impact, including:

  • Unauthorized control of business systems.

  • Obtaining administrative privileges of core systems.

  • Taking control of core systems.

Examples:

  • Controlling multiple devices within the internal network.

  • Obtaining super-administrator privileges of the backend, leading to severe consequences such as leakage of critical enterprise data.

  • Smart contract overflow and race condition vulnerabilities.

High-risk Vulnerabilities

  • Gaining system privileges (e.g., GetShell, command execution).

  • System SQL injection.

  • Unauthorized access to sensitive information (e.g., bypassing authentication, weak passwords, SSRF vulnerabilities).

  • Arbitrary file reading.

  • XXE vulnerabilities allowing access to any information.

  • Unauthorized transactions or bypassing payment logic involving funds.

  • Severe logical and process design flaws (e.g., arbitrary user login vulnerabilities, bulk modification of account passwords).

  • Other vulnerabilities with wide-ranging user impact (e.g., stored XSS vulnerabilities on important pages).

  • Extensive source code leakage.

  • Smart contract permission control flaws.

Medium-risk Vulnerabilities

  • Vulnerabilities requiring user interaction (e.g., stored XSS, CSRF related to core business processes).

  • Parallel authorization operations (e.g., bypassing restrictions to modify user data).

  • Denial of Service (DoS) vulnerabilities.

  • Captcha logic flaws allowing brute-forcing of sensitive operations.

  • Local leakage of sensitive authentication key information.

Low-risk Vulnerabilities

  • Local DoS vulnerabilities (e.g., client-side crashes).

  • Routine information leakage (e.g., web path traversal, directory browsing).

  • XSS vulnerabilities (including DOM XSS/Reflected XSS).

  • Routine CSRF vulnerabilities.

  • URL redirection vulnerabilities.

  • SMS bombs, email bombs (only one type accepted per system).

  • Other low-impact vulnerabilities or those unable to demonstrate harm.


Vulnerability Types Not Accepted

  • Email spoofing.

  • User enumeration vulnerabilities.

  • Self-XSS and HTML injection.

  • Webpage missing CSP and SRI security policies.

  • CSRF issues for non-sensitive operations.

  • Individual Android App issues (e.g., android:allowBackup="true").

  • Issues related to modifying image sizes causing slow requests.

  • Leaked versions of Nginx or other software.

  • Functional issues without security risks.

  • Personal attacks on SAFEX employees or social engineering.


Contract Vulnerability Definitions

Critical Vulnerabilities

  • Any governance voting result manipulation.

  • Direct theft of user funds (at-rest or in-motion, excluding unclaimed yield).

  • Permanent freezing of funds.

  • Miner-extractable value (MEV).

  • Protocol insolvency.

High-risk Vulnerabilities

  • Theft of unclaimed yield or royalties.

  • Permanent freezing of unclaimed yield or royalties.

  • Temporary freezing of funds.

Medium-risk Vulnerabilities

  • Smart contract unable to operate due to lack of token funds.

  • Block stuffing for profit.

  • Griefing (e.g., no profit motive but damage to users or protocol).

  • Theft of gas.

  • Unbounded gas consumption.

Low-risk Vulnerabilities

  • Contract fails to deliver promised returns but doesn’t lose value.

Information Vulnerabilities

  • Incorrect data supplied by third-party oracles.

  • Impacts requiring basic economic and governance attacks (e.g., 51% attack).

  • Lack of liquidity impacts.

  • Impacts from Sybil attacks.

  • Centralization risks.

  • Best practice recommendations.


Prohibited Activities

  • Engaging in social engineering or phishing activities.

  • Disclosing specific information about vulnerabilities.

  • Destructive testing (only Proof of Concept (PoC) allowed).

  • Large-scale scanning without using scanning tools.

  • Direct modification of web pages, continued pop-up message boxes, cookie theft, or invasive payloads.

If any unintended harm occurs during testing, it must be promptly reported. Failure to comply may result in legal consequences.


Join Us in Making SAFEX Safer!

We appreciate your efforts in helping us maintain a secure platform. Together, we can build a safer crypto ecosystem!

Contact: [email protected] Website: safex.trading

Last updated