Bug Bounty Program

December 19, 2022

The idea behind the Bug Bounty Program is to encourage proactive EXMO traders and external researchers to spot software vulnerabilities on the EXMO platform.

We believe that external security valuations are as important as internal testing, so we greatly appreciate your effort to make EXMO even more reliable. Our Bug Bounty Program allows you to be rewarded for providing us with bug reports. Let’s contribute to EXMO’s security together!

We recommend that you use your own tools when testing our systems.

Research rules

Follow the rules below when researching and reporting bugs:

  • Make every effort not to compromise any personal data, interrupt or degrade any service.
  • Do not damage or restrict the availability of EXMO services and infrastructure.
  • Perform bug research only within the scope set out below.
  • When searching for vulnerabilities, target your own account and do not modify the data of other EXMO users.
  • Collect only the information necessary to report a bug.
  • Avoid using automated web application scanners in order to not generate a significant amount of traffic.
  • Don’t spam forms or account creation flows using automated scanners.
  • Any found vulnerability must be reported to the EXMO team promptly.
  • Do not communicate any details of vulnerabilities to anyone outside EXMO or HackenProof.
  • Avoid exploiting any DoS/DDoS vulnerabilities, social engineering attacks, or spam.

Scope

  • Domain: exmo.com
  • Subdomain: *.exmo.com
  • API https://api.exmo.com
  • Mobile applications:
  • https://play.google.com/store/apps/details?id=com.exmo
  • https://apps.apple.com/ru/app/exmo-exchange/id1505496232

Outside of scope

  • Subdomain: info.exmo.com
  • Domain and subdomains: *.exmo-coin.exmo.com
  • Domains: support.exmoney.com; exmoney.zendesk.com

Included

When carrying out security research, focus on the following classes of vulnerabilities:

  • Remote code execution (RCE)
  • Injection vulnerabilities (SQL, XXE)
  • Business logic issues
  • Payments manipulation
  • File inclusions (local and remote)
  • Access control issues (IDOR, privilege escalation, etc.)
  • Leakage of sensitive information
  • Server-side request forgery (SSRF)
  • Cross-site request forgery (CSRF)
  • Cross-site scripting (XSS)
  • Directory traversal
  • Other vulnerabilities presenting a potential business risk

Exclusions

The following vulnerabilities are not considered eligible for this program:

  • Vulnerabilities in third-party applications
  • Recently (less than 30 days) disclosed 0-day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraudulent activities
  • Best practices concerns
  • Vulnerabilities involving active content such as web browser add-ons
  • Denial of service (DoS/DDoS) and spamming (SMS, email, etc.)
  • Most brute-forcing issues without any clear impact
  • Publicly accessible login panels without proof of exploitation
  • Disclosure of public user information, as well as non-sensitive and moderately sensitive information
  • Missing HTTP security header
  • Missing cookie flags on non-security-sensitive cookies

Infrastructure vulnerabilities, including:

  • Certificates/TLS/SSL-related issues
  • DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • User account enumeration
  • Self-XSS that cannot be used to exploit other users
  • Login and logout CSRF
  • Weak captcha
  • Username/email enumeration via register page error messages
    CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content spoofing without embedded links/HTML
  • Reflected file download (RFD)
  • Mixed HTTP content
  • HTTPS mixed content scripts
  • MitM and local attacks
  • Reports stating that software is out of date or vulnerable without a proof of concept
  • Reports that are generated by scanners or any automated or active exploit tools
  • Software or protocols that EXMO does not control
  • Theoretical issues and bugs that are already known to us

If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the project team.

Exclusions for EXMO’s mobile app

The following vulnerability classes are excluded in relation to our mobile app:

  • Attacks that require physical access to a user’s device
  • Vulnerabilities requiring root/jailbreak or extensive user interaction
  • Exposure of non-sensitive data on the device
  • Reports from static analysis of the binary without PoC that impacts business logic
  • Lack of obfuscation/binary protection/root(jailbreak) detection
  • Bypass certificate pinning on rooted devices
  • Lack of exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Sensitive data in URLs/request bodies when protected by TLS
  • Path disclosure in the binary
  • OAuth and app secret hard-coded/recoverable in IPA, APK
  • Sensitive information retained as plaintext in the device’s memory
  • Crashes due to malformed URL schemes or intents sent to exported activity/service/broadcast receiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in-app private directory
  • Runtime hacking exploits using tools like but not limited to Frida/
  • AppMon (exploits only possible in a jailbroken environment)
  • Shared links leaked through the system clipboard
  • Any URIs leaked because of a malicious app having permission to view URIs opened
  • Exposure of API keys with no security impact (Google Maps API keys, etc.)

Submit a bug

Please submit your bug reports to [email protected]. Our technical team will contact you shortly if the bug in question is recognised by them. Include as much information as possible in your message so that we can perform an in-depth review of the bug and assess its potential impact. Also, include an instruction and/or proof-of-concept codes in your bug report. If you want your name to be included in the Wall of Fame, then specify this in your bug report message.

As an alternative option, you can also submit your bug report on our partner’s page. HackenProof is a leading web3 bug bounty and vulnerability coordination platform.

Get a reward

The minimum reward for a reported and confirmed bug is $50. If we consider that the reported bug is of critical technical severity – we will pay up to $3,000. We reserve the right to increase or decrease the size of the reward depending on the seriousness of the vulnerability found.

The calculation below shows an approximate reward for detecting vulnerabilities:

Critical: $2,500 – 3,000
High: $1,000 – 2,000
Medium: $500 – 1,000
Low: $50 – 250

Safe harbour

Any bug research activities conducted by you in a manner consistent with this Bug Bounty Program will be considered authorised, and we will not take legal action against the researchers nor ask law enforcement bodies to investigate the cases of the security breach by the researchers in case they comply with the industry standards and responsible disclosure guidelines described in this Bug Bounty Program.

Responsible disclosure guidelines

– Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability.

– Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

– Do not modify or access data that does not belong to you.

– Report the vulnerability as soon as possible.

– Do not use the detected vulnerabilities for unjust enrichment. If you use the vulnerability in such a way that can cause harm to EXMO, our users and third parties and do not report to EXMO about the vulnerability, you will not receive a reward and we reserve the right to commence legal action against you.

– Do not violate any law and stay in the defined scope, and do not participate in any illegal actions (activities).

– If you encounter personally identifiable information or other sensitive data for accounts or data breach by other persons, please stop accessing that data immediately, and report the issue to EXMO by the e-mail addresses [email protected]. Do not store or transmit other users’ data, and destroy all copies of data that is not yours that you accidentally or deliberately captured during the course of your research.

– After sending a report, you cannot tell anyone or anywhere about the vulnerability. Public disclosure of a vulnerability makes it ineligible for a reward. Furthermore, you shall not store screenshots and/or executable codes and scripts related to the vulnerability not to make the information available to third parties.

Legal note

This Bug Bounty Program is not open to individuals on sanction lists or individuals located in countries on sanctions lists (for more details, please read our User Agreement). You are also solely responsible for payment of any tax in relation to the reward and obliged to comply with all applicable laws.

We reserve the right to modify the terms and conditions of this Bug Bounty Program or terminate it at any time.

Please note that we register your personal data when processing bug reports. If you wish to report the issue anonymously, please state so in your communication.

Given the sensitive nature of possible bugs, we authorise the disclosure of such bugs only after they have been fixed, the disclosure details have been approved, and there is no sensitive information included.