сoinsbit.io Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

About:
Being the largest cryptocurrency exchange means reliability. Your own confidence is the most important thing for us. It is thanks to this confidence of our traders we entered the top largest exchanges in the ranking of CoinMarketCap and CoinGecko. We know how to achieve peak goals and we know what service is needed for this. A million of our traders appreciated the convenience and reliability of our platform - this is our main achievement, and the main reason for you to start working on our platform. Right now.

Rewards/Ratings:

After your application has been accepted, send a request to [email protected]

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

Testing Requirements:

Targets
coinsbit.io
Remote code execution
Coinsbit Mobile Application for Android
Coinsbit Mobile Application for IOS
LFI/LFI/SQLi
Balance manipulation
Partial authentication bypass
Theft of sensitive information
Financial vulnerability and personal data

Possible Awards:

Reward range
Critical 300$ - 500$
Severe 300$ - 500$

Critical
Vulnerabilities that could undermine the fund safety of any user or business runner, including:

Vulnerabilities that could expose private keys or any other sensitive secrets
vulnerabilities that could allow unfair trading, swapping, exchange, or any economic practice that results in loss of funds
Vulnerabilities impacting the system, human governance or judgment that could cause significant economic unfairness or loss of funds

Severe
Vulnerabilities with similar impact as Critical vulnerabilities, but are dependent on specific prerequisites

Special Notes:

Ineligible issues (Will be closed as out of scope):

Theoretical vulnerabilities without actual proof of concept
Email verification deficiencies, expiration of password reset links, and password complexity policies
Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI redressing with minimal security impact
Email or mobile enumeration (E.g. the ability to identify emails via password reset)
Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
Internally known issues, duplicate issues, or issues which have already been made public
Tab-nabbing
Self-XSS
Vulnerabilities only exploitable on out-of-date browsers or platforms
Vulnerabilities related to auto-fill web forms
Use of known vulnerable libraries without actual proof of concept
Lack of security flags in cookies
Issues related to unsafe SSL/TLS cipher suites or protocol version
Content spoofing
Cache-control related issues
Exposure of internal IP address or domains
Missing security headers that do not lead to direct exploitation
CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non-critical feature)
Vulnerabilities that require root/jailbreak
Vulnerabilities that require physical access to a user's device
Issues that have no security impact (E.g. Failure to load a web page)
Phishing (E.g. HTTP Basic Authentication Phishing)
Any activity (like DoS/DDoS) that disrupts our services
Installation Path Permissions
Reports from automated tools or scans