Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
15/04/2019
CODEX Exchange logo
Thanks
Gift
Hall of Fame
Reward

200 HKN 

In Scope

Scope Type Scope Name
web_application codex.one
web_application api.codex.one

CODEX Exchange

CODEX is a licensed trading platform for cryptocurrencies & digital assets, built on vanguard security infrastructure and revolutionary reward system. CODEX offers one of the lowest fees on the market and trade mining program.

__Scope

In Scope

Target | Type | Severity | Reward
---|---|---|---

codex.one

| Web | Critical | Bounty

api.codex.one

| API | Critical | Bounty

__Rewards

Severity (CVSSv3) | Reward
---|---
Critical | 3000$
High | 1500$
Medium | 500$
Low | 200$

__Focus Area

In-Scope Vulnerabilities


  • Remote Code Execution (RCE)
  • Authentication bypass
  • Theft of privileged information
  • XSS/CSRF/Clickjacking affecting sensitive actions (excluding Self-XSS and logout CSRF)
  • Privilege escalation
  • Database vulnerability, SQL Injection
  • Manipulation of account balance
  • Other vulnerability with clear potential for financial or data loss

Out-of-Scope Vulnerabilities


  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • DNS issues (i.e. mx records, SPF records, etc.)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of Secure/HTTPOnly flags on non-security-sensitive cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non-critical feature)
  • Physical or social engineering attempts (this includes phishing attacks against employees)
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to CODEX Exchange
  • UI and UX bugs and spelling or localization mistakes
  • Vulnerabilities in third-party applications
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Weak Captcha
  • Recently disclosed 0day vulnerabilities.
  • Most brute forcing issues
  • Denial of service
  • Spamming

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service.
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
  • Comply with the rules of the program.

Actions to avoid


  • Testing on accounts other than those that you own
  • Automated testing using tools such as scanners
  • Excessive request attempts
  • Destruction of data

__Disclosure Guidelines

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any CODEX Exchange user data.
  • Not defrauding CODEX Exchange users or CODEX itself in the process of discovery.

__Non-security Related Issues

Please submit a request ticket at https://support.codex.one Thank you for your efforts in helping keep CODEX Exchange and its users safe!

FireBounty © 2015-2019

Legal notices