Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to BitMEX.

Program Rules

• Avoid testing on www.bitmex.com; testnet.bitmex.com is typically identical to the production environment, and simplifies testing.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Mobile Beta Access 07/04/2022 - 11/04/2022

We are launching our mobile applications soon and would like to invite beta testers/hackers to come along and find bugs on our Android and iOS applications. Access will be granted on a first come first serve basis and is limited to 200 testers for Android and 1000 for iOS. To get access please download the applications from their respective app stores and then follow the below instructions:

Beta Testnet Download Links for BitMEX Lite Testnet:

• Play Store (Max. 200 testers): https://play.google.com/store/apps/details?id=com.bitmex.app.android.testnet

• App Store (Max. 1000 testers): https://testflight.apple.com/join/533gFghn

Instructions:

• Hackers will need to register for a BitMEX Testnet account

• Once the account is created, verify the email associated

• Login twice - this will automatically KYC approve the account on the second login

• Start Hacking!

Exclusions

While researching, we'd like to ask you to refrain from engaging in or reporting:

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

• Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc).

• App-layer DoS testing is permissible as long as the testing is not load or network based.

• As with the rest of the bug bounty program, only test on https://testnet.bitmex.com.

• If you have found a probable DoS vector, we encourage proactively reporting it so we can help you evaluate if it is exploitable.

• App-layer DoS issues are eligible for up to critical severity, at our discretion based on impact and complexity.

• DDoS protection bypasses

• Social engineering (including phishing) of BitMEX staff or contractors.

• Any physical attempts against BitMEX property or data centers.

• Bugs in non-standard browsers or browsers not supported by BitMEX.

• Clickjacking on pages with no sensitive actions.

• CSRF issues without a working proof-of-concept in a major, current-version browser.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Missing best practices without a working Proof of Concept.

• Path disclosure.

• Missing CSP headers, X-Frame-Options, Content sniffing, HPKP, etc.

• Content injection or XSS that are mitigated by CSP will be treated as a low-severity issue unless a bypass can be found in the policy in a major, current-version browser.

• Bypasses must include a working proof-of-concept to be eligible.

• 0-Days will not be rewarded within the first 30 days of release inline to allow for remedial efforts to be undertaken however the first reporter or any report which finds an area we have missed will be rewarded, even if it is within 30 days.