DEXTRADE BUG BOUNTY PROGRAM

DexTrade — a transformative ecosystem of solutions that serve as a versatile multi-cryptocurrency non-custodial wallet, an innovative peer-to-peer platform, and a highly functional and robust payment gateway, Dextrade offers an all-encompassing ecosystem for the convenient exchange, transfer, acquisition, and management of digital assets.

DexWallet, DexP2P and DexPay combine advanced tech and user-centric design, catering to all users.Dextrade provides a comprehensive crypto navigation experience – from secure multi-signature and easy token and NFT transfers between users and multiple blockchains to fine-tuning a crypto payment gateway for your business.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the DexTrade team.

Eligibility and Responsible Disclosure

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • “OneFixOneReward”: If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of DexTrade or one of its contractors.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep DexTrade and our users safe!

Response Targets

DexTrade will make a best effort to meet the following SLAs (service level agreement) for hackers participating in our program:

Type of ResponseSLA in business days
First Response5 days
Time to Triage10 days
Time to Bounty30 days
Time to Resolutiondepends on severity and complexity

We will do our best to keep you informed about our progress throughout the process.

Rewards Grid

Rewards are given based on CVSS (Common Vulnerability Scoring System) scoring and actual business impact.

RatingCVSS scoreBounty
Low0.1 – 3.9$50-100
Medium4.0 – 6.9$100 – 300
High7.0 – 8.9$300 – 1000
Critical9.0 – 10.0$1000 – 2000

Out of scope vulnerabilities

Vulnerabilities only affecting users of outdated or unpatched applications and platforms

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Reporting on general security best practices, such as password strength guidelines, password policies.
  • Identifying missing security features or controls that are not specific to the application or service.
  • Clickjacking
  • Email or Nonces sent to third party domains
  • Unconfirmed reports from automated vulnerability scanners
  • Security weaknesses with no evidence of the ability to target a remote victim. For example: HTTP Host header attack, missing rate limits, bruteforcing without demonstrating impact, etc.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring a MITM or physical access to a user’s device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration
  • Arbitrary file upload
  • Email flooding
  • User enumeration
  • Any activity that could contribute to the disruption of our service (DoS).
  • Content spoofing and text injection issues
  • Theoretical subdomain takeovers with no supporting evidences
  • Missing Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Missing email security best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
  • Tabnabbing
  • Self XSS
  • Broken links
  • Open redirect – unless an additional security impact can be demonstrated
  • Rate limit bypass through IP rotation techniques
  • Session invalidation issues (logout not expiring sessions)
  • Issues that require unlikely user interaction by the victim
  • Vulnerabilities on subdomains that point to third party services.
  • Disclosure of API keys with the prefix pk_*. These are publishable keys and are not sensitive.
  • Invalid or stale employee credential dumps – we already monitor haveibeenpwned.com and other sources for dumps of this nature.

Out of scope bugs for iOS and Android apps:

  • Root / Jailbreak detection bypass
  • Lack of Root / Jailbreak detection
  • Bypass of certificate pinning
  • Lack of binary protection (anti-debugging, PIE, ARC, or Stack Canaries) controls
  • Lack of obfuscation
  • Snapshot/Pasteboard leakage
  • Crashes in general
  • Runtime hacking exploits (exploits only possible in a rooted/jailbroken environment)
  • Hardcoded keys or values, if they do not provide functionality beyond the normal application functionality (eg ability to escalate privileges beyond normal application access)
  • Any kind of sensitive data stored in app private directory

Qualifying vulnerabilities

  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, …)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)
  • CORS with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  •  Insecure Direct Object References (IDOR)
  • Sensitive Information Exposure through insecure data storage on device
  • Lack of SSL Pinning/jailbreak or root detection/anti-debugging controls etc on latest version in playstore or appstore
  • Bypassing Verification Methods

Hunters collaboration

When submitting a new report, you can add up to 5 collaborators, and define the reward split ratio.

Legal

DexTrade reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.