Bug Bounty Program

The purpose of this Bug Bounty program is to stimulate the finding of software vulnerabilities on EXMO in order to make it as secure as possible. External valuations of security are as important as internal testing and revisions of applicable systems. We appreciate your interest in this program, and we see constant improvement of EXMO security systems as a team effort that also involves our proactive users. Together we are making the safety of EXMO services even better.

We encourage our users and external researchers to conduct testing of our systems using their own tools.

Rules for research

Below are the rules for you to follow for responsible bug research and to make an appropriate bug report:

• do not intentionally access non-public EXMO data any more than is necessary to demonstrate the bug;
• do not permanently delete or modify EXMO hosted data;
• do not disrupt our internal or external services;
• do not violate the privacy of EXMO users;
• you can only target your own account in the process of bug research;
• do not share EXMO confidential information;
• do not employ social engineering malicious activities;
• do not use any brute-force techniques in order to gain access to the system;
• report about found bugs and/or vulnerabilities in EXMO systems promptly;
• do not use physical attack attempts against EXMO property or data centres;

In Scope

• Domains and subdomains: *.exmo.com; *.exmo.me; *.exmo.com.tr;
• API https://api.exmo.com;
• Mobile applications:
  • https://play.google.com/store/apps/details?id=com.exmo;
  • https://apps.apple.com/ru/app/exmo-exchange/id1505496232.

Out of Scope

• Subdomains: info.exmo.com; info.exmo.me;
• Domain and subdomains: *.exmo.money;
• Domains: support.exmoney.com; exmoney.zendesk.com.

Included

The following outlines the nominal rewards for specific classes of vulnerabilities for in-scope properties (see the section on Scope).

• Remote code execution
• Injection
• Broken Authentication and Session Management
• Administrative functionality
• Account takeover
• Other valid vulnerabilities

Exclusions

We do not accept as eligible for this program the reports on bugs that relate to:

• Any third-party applications or sites hosted by them;
• Obtuse or extensive social engineering;
• DDoS, spamming;
• Missing cookie flags on non-security-sensitive cookies;
• SSL weaknesses, public information and/or browser instructions (HTTP, TLS, SPF, DKIM, etc);
• Software or protocols that EXMO does not control;
• Outdated or unpatched versions of web browsers;
• Attacks requiring physical access to a user’s device;
• UI and UX bugs and spelling or localization mistakes;
• Vulnerabilities in third-party applications;
• Bugs are already known to us.

If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the respective project team.

Submit a bug

Please, submit your bug reports to [email protected]. Our technical team shall reach you shortly if the bug in question is recognised by them as such. Include as much information as possible to your message, so that we can perform an in-depth review of the bug, asses it and consider its potential impact. Also, please include to your bug message an instruction and/or proof-of-concept codes to replicate your found bug.

If you want your name to be included in the Wall of Fame, then include it to your bug report message.

Get a reward

The minimum reward for the reported and confirmed bug is 100 USD (One Hundred US Dollars). If we consider that the reported bug is of moderate or critical technical severity – we will pay you more.

Payment of one reward is made per one bug.

Safe harbour

Any bug research activities conducted by you in a manner consistent with this Bug Bounty program will be considered by us as authorized and we will not initiate legal claim against you.

Legal note

This Bug Bounty program is not open to individuals on sanctions lists or individuals in countries on sanctions lists the users of which we do not accept for our services (for more details, please read our User Agreement). You are also solely responsible for payment of any tax in relation to the reward, and expected to comply with all applicable laws.

We may modify the terms and conditions of this Bug Bounty program or terminate it at any time.

Please note that we register your personal data in connection with our bug reporting processing. If you wish to report the issue anonymously, please state so in your communication.

Given the sensitive nature of possible bugs, we authorise the disclosure of such bugs only after they had been fully remediated, we have approved the disclosure details, and when no sensitive information is included in the disclosure.