Bug Bounty Program

Last updated: 26 January 2022

The idea behind the Bug Bounty Program is to encourage proactive EXMO traders and external researchers to spot software vulnerabilities on the EXMO platform.

We believe that external security valuations are as important as internal testing, so we greatly appreciate your effort to make EXMO even more reliable. Our Bug Bounty Program allows you to be rewarded for providing us with bug reports. Let’s contribute to EXMO’s security together!

We recommend that you use your own tools when testing our systems.

Research rules

Follow the rules below when researching and reporting bugs:

• Make every effort not to compromise any personal data, interrupt or degrade any service.
• Do not damage or restrict the availability of EXMO services and infrastructure.
• Perform bug research only within the scope set out below.
• When searching for vulnerabilities, target your own account and do not modify the data of other EXMO users.
• Collect only the information necessary to report a bug.
• Avoid using automated web application scanners, in order to not generate a significant amount of traffic.
• Don’t spam forms or account creation flows using automated scanners.
• Any found vulnerability must be reported to the EXMO team promptly.
• Do not communicate any details of vulnerabilities to anyone outside EXMO or HackenProof.
• Avoid exploiting any DoS/DDoS vulnerabilities, social engineering attacks, or spam.

Scope

• Domains: exmo.com; exmo.me
• Subdomains: *.exmo.com; *.exmo.me
• API https://api.exmo.com
• Mobile applications:
  • https://play.google.com/store/apps/details?id=com.exmo;
  • https://apps.apple.com/ru/app/exmo-exchange/id1505496232.

Outside of scope

• Subdomains: info.exmo.com; info.exmo.me
• Domain and subdomains: *.exmo.money
• Domains: support.exmoney.com; exmoney.zendesk.com

Included

When carrying out security research, focus on the following classes of vulnerabilities:

• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• Business logic issues
• Payments manipulation
• File inclusions (local and remote)
• Access control issues (IDOR, privilege escalation, etc.)
• Leakage of sensitive information
• Server-side request forgery (SSRF)
• Cross-site request forgery (CSRF)
• Cross-site scripting (XSS)
• Directory traversal
• Other vulnerabilities presenting a potential business risk

Exclusions

The following vulnerabilities are not considered eligible for this program:

• Vulnerabilities in third-party applications
• Recently (less than 30 days) disclosed 0-day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraudulent activities
• Best practices concerns
• Vulnerabilities involving active content such as web browser add-ons
• Denial of service (DoS/DDoS) and spamming (SMS, email, etc.)
• Most brute-forcing issues without any clear impact
• Publicly accessible login panels without proof of exploitation
• Disclosure of public user information, as well as non-sensitive and moderately sensitive information
• Missing HTTP security header
• Missing cookie flags on non-security-sensitive cookies
• Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL-related issues
  • DNS issues (i.e. MX records, SPF records, DMARC records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
• User account enumeration
• Self-XSS that cannot be used to exploit other users
• Login and logout CSRF
• Weak captcha
• Username/email enumeration via register page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content spoofing without embedded links/HTML
• Reflected file download (RFD)
• Mixed HTTP content
• HTTPS mixed content scripts
• MitM and local attacks
• Reports stating that software is out of date or vulnerable without a proof of concept
• Reports that are generated by scanners or any automated or active exploit tools
• Software or protocols that EXMO does not control
• Theoretical issues and bugs that are already known to us

If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the project team.

Exclusions for EXMO’s mobile app

The following vulnerability classes are excluded in relation to our mobile app:

• Attacks that require physical access to a user’s device
• Vulnerabilities requiring root/jailbreak or extensive user interaction
• Exposure of non-sensitive data on the device
• Reports from static analysis of the binary without PoC that impacts business logic
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• OAuth and app secret hard-coded/recoverable in IPA, APK
• Sensitive information retained as plaintext in the device’s memory
• Crashes due to malformed URL schemes or intents sent to exported activity/service/broadcast receiver (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in-app private directory
• Runtime hacking exploits using tools like but not limited to Frida/ AppMon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard
• Any URIs leaked because of a malicious app having permission to view URIs opened
• Exposure of API keys with no security impact (Google Maps API keys, etc.)

Submit a bug

Please submit your bug reports to [email protected]. Our technical team will contact you shortly if the bug in question is recognised by them. Include as much information as possible in your message so that we can perform an in-depth review of the bug and assess its potential impact. Also, include an instruction and/or proof-of-concept codes in your bug report. If you want your name to be included in the Wall of Fame, then specify this in your bug report message.

As an alternative option, you can also submit your bug report on our partner’s page. HackenProof is a leading web3 bug bounty and vulnerability coordination platform.

Get a reward

The minimum reward for a reported and confirmed bug is $50. If we consider that the reported bug is of critical technical severity – we will pay up to $3,000.

• Critical: $2,500 – 3,000
• High: $1,000 – 2,000
• Medium: $500 – 1,000
• Low: $50 – 250

Safe harbour

Any bug research activities conducted by you in a manner consistent with this Bug Bounty Program will be considered authorised, and we will not initiate a legal claim against you.

Legal note

This Bug Bounty Program is not open to individuals on sanction lists or individuals located in countries on sanctions lists (for more details, please read our User Agreement). You are also solely responsible for payment of any tax in relation to the reward and obliged to comply with all applicable laws.

We reserve the right to modify the terms and conditions of this Bug Bounty Program or terminate it at any time.

Please note that we register your personal data when processing bug reports. If you wish to report the issue anonymously, please state so in your communication.

Given the sensitive nature of possible bugs, we authorise the disclosure of such bugs only after they have been fixed, the disclosure details have been approved, and there is no sensitive information included.