The idea behind the Bug Bounty Program is to encourage proactive EXMO traders and external researchers to spot software vulnerabilities on the EXMO platform.
We believe that external security valuations are as important as internal testing, so we greatly appreciate your effort to make EXMO even more reliable. Our Bug Bounty Program allows you to be rewarded for providing us with bug reports. Let’s contribute to EXMO’s security together!
We recommend that you use your own tools when testing our systems.
Follow the rules below when researching and reporting bugs:
When carrying out security research, focus on the following classes of vulnerabilities:
The following vulnerabilities are not considered eligible for this program:
Infrastructure vulnerabilities, including:
If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the project team.
The following vulnerability classes are excluded in relation to our mobile app:
Please submit your bug reports to [email protected]. Our technical team will contact you shortly if the bug in question is recognised by them. Include as much information as possible in your message so that we can perform an in-depth review of the bug and assess its potential impact. Also, include an instruction and/or proof-of-concept codes in your bug report. If you want your name to be included in the Wall of Fame, then specify this in your bug report message.
As an alternative option, you can also submit your bug report on our partner’s page. HackenProof is a leading web3 bug bounty and vulnerability coordination platform.
The minimum reward for a reported and confirmed bug is $50. If we consider that the reported bug is of critical technical severity – we will pay up to $3,000. We reserve the right to increase or decrease the size of the reward depending on the seriousness of the vulnerability found.
The calculation below shows an approximate reward for detecting vulnerabilities:
Critical: $2,500 – 3,000
High: $1,000 – 2,000
Medium: $500 – 1,000
Low: $50 – 250
Any bug research activities conducted by you in a manner consistent with this Bug Bounty Program will be considered authorised, and we will not take legal action against the researchers nor ask law enforcement bodies to investigate the cases of the security breach by the researchers in case they comply with the industry standards and responsible disclosure guidelines described in this Bug Bounty Program.
– Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability.
– Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
– Do not modify or access data that does not belong to you.
– Report the vulnerability as soon as possible.
– Do not use the detected vulnerabilities for unjust enrichment. If you use the vulnerability in such a way that can cause harm to EXMO, our users and third parties and do not report to EXMO about the vulnerability, you will not receive a reward and we reserve the right to commence legal action against you.
– Do not violate any law and stay in the defined scope, and do not participate in any illegal actions (activities).
– If you encounter personally identifiable information or other sensitive data for accounts or data breach by other persons, please stop accessing that data immediately, and report the issue to EXMO by the e-mail addresses [email protected]. Do not store or transmit other users’ data, and destroy all copies of data that is not yours that you accidentally or deliberately captured during the course of your research.
– After sending a report, you cannot tell anyone or anywhere about the vulnerability. Public disclosure of a vulnerability makes it ineligible for a reward. Furthermore, you shall not store screenshots and/or executable codes and scripts related to the vulnerability not to make the information available to third parties.
This Bug Bounty Program is not open to individuals on sanction lists or individuals located in countries on sanctions lists (for more details, please read our User Agreement). You are also solely responsible for payment of any tax in relation to the reward and obliged to comply with all applicable laws.
We reserve the right to modify the terms and conditions of this Bug Bounty Program or terminate it at any time.
Please note that we register your personal data when processing bug reports. If you wish to report the issue anonymously, please state so in your communication.
Given the sensitive nature of possible bugs, we authorise the disclosure of such bugs only after they have been fixed, the disclosure details have been approved, and there is no sensitive information included.