The purpose of this Bug Bounty program is to stimulate the finding of software vulnerabilities on EXMO in order to make it as secure as possible. External valuations of security are as important as internal testing and revisions of applicable systems. We appreciate your interest in this program, and we see constant improvement of EXMO security systems as a team effort that also involves our proactive users. Together we are making the safety of EXMO services even better.
We encourage our users and external researchers to conduct testing of our systems using their own tools.
Below are the rules for you to follow for responsible bug research and to make an appropriate bug report:
The following outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see the section on Scope).
We do not accept as eligible for this program the reports on bugs that relate to:
If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the respective project team.
Please, submit your bug reports to support@exmo.com. Our technical team shall reach you shortly if the bug in question is recognised by them as such. Include as much information as possible to your message, so that we can perform an in-depth review of the bug, asses it and consider its potential impact. Also, please include to your bug message an instruction and/or proof-of-concept codes to replicate your found bug.
If you want your name to be included in the Wall of Fame, then include it to your bug report message.
The minimum reward for the reported and confirmed bug is 100 USD (One Hundred US Dollars). If we consider that the reported bug is of moderate or critical technical severity – we will pay you more.
Payment of one reward is made per one bug.
Any bug research activities conducted by you in a manner consistent with this Bug Bounty program will be considered by us as authorized and we will not initiate legal claim against you.
This Bug Bounty program is not open to individuals on sanctions lists or individuals in countries on sanctions lists the users of which we do not accept for our services (for more details, please read our User Agreement). You are also solely responsible for payment of any tax in relation to the reward, and expected to comply with all applicable laws.
We may modify the terms and conditions of this Bug Bounty program or terminate it at any time.
Please note that we register your personal data in connection with our bug reporting processing. If you wish to report the issue anonymously, please state so in your communication.
Given the sensitive nature of possible bugs, we authorise the disclosure of such bugs only after they had been fully remediated, we have approved the disclosure details, and when no sensitive information is included in the disclosure.