Bug Bounty

 

Although our team of experts made every effort to eliminate all bugs in our systems, there is always the possibility that we could miss an error representing a significant vulnerability.

Emirex recognizes the importance and worth of security researchers' efforts to improve the security of our service. We encourage the responsible disclosure of security vulnerabilities through our Bug Bounty Program, described on this page.

Would you like to submit a bug report?

If you have found a security bug, please fill in the bug report form. Our team will review your report and get back to you as soon as possible. Note, that the more information you provide, the better.

Consider that we only approve reports of real bugs, not theoretical ones, and there should be either explanation of the bug and how it can affect security of our service and our clients.

Rewards for Bug Reports

We estimate bug reports by priority and provide fair rewards for disclosing essential vulnerabilities.

Emirex Bug Bounty Principles

We are standing for ethical research principles and we hope that users who will provide researches on vulnerabilities share those and would stick to recommendations below: 

  • Avoid violation of the privacy of other users, destroying data, disrupting our services, etc.
  • Please use only your own account to make researches, do not use accounts of other users.
  • Social engineering, spam and DDOS attacks should be avoided.
  • Bug report content should be provided exclusively to our technical team, and shouldn’t be disclosed or published for third parties.
  • Depending on the vulnerability severity reported, we need a reasonable time to fix it, please consider that.

Please consider, that for your efforts to be helpful and rewarded, your actions shouldn’t be disruptive or harmful for our service or our users.

Scope of Research

This bug bounty is launched to improve the security of our service, so only security vulnerabilities reports will be rewarded. However, we would be grateful if you report any other kind of bug to make our service better by submitting a ticket

Out of Scope

  • Vulnerabilities on sites hosted by third parties (kb.emirex.com, etc) unless they lead to a vulnerability on the main website.
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities in third-party applications that make use of Emirex's API.
  • Bugs that have not been responsibly investigated and reported.
  • Bugs already known to us, or already reported by someone else (reward goes to the first reporter).
  • Issues that aren't reproducible.
  • Issues that we can't reasonably be expected to do anything about.

Ineligible Bug Reports

Here are the types of bugs that are not eligible for rewards: 

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to a user's device
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Phishing (E.g. HTTP Basic Authentication Phishing)

Disclaimers

  • Reward for bug report is granted only to the customer who was first to report the specified bug. 
  • Rewards are granted for reporting bugs that affect security issues. Issues like broken links, pages that do not loaded are not in the scope of research. However, we will be grateful if you notify us about such a bug by submitting a ticket
  • Disclosure policy - user participating in a bug bounty program should give the exchange reasonable amount of time to fix the reported bug, and no information about this bag shouldn’t be published or disclosed to the third parties. 
  • Users participating in bug bounty program should make sure that all the data provided in bug report is valid and mistake-free. 
  • If you have found a bug in blockchain of the token listed on our exchange, please report it to the token developer.