CoinFLEX Bug Bounty Program

At CoinFLEX, security is of the utmost importance to us and our users. Hence, we wish to present to you the CoinFLEX Bug Bounty Program. The aim of this program is to more effectively engage with our community and supporters in reporting any bugs and vulnerabilities.

Responsible Disclosure Policy

CoinFLEX aims to keep its services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our services, we appreciate your help in disclosing it to us in a responsible manner.

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to CoinFLEX.

Bounty Program Rules

Contact email: [email protected]

Please provide detailed reports with reproducible steps.

If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

We have a testnet (Stage) environment at https://coinflex.com. If you believe a reproduction could potentially harm service of the platform, please do a reproduction on Stage.

Requirements

We require that researchers:

  • Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.
  • Perform research only within the scope.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
  • Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
  • If you fulfill these requirements, CoinFLEX will:
  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)
  • Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.
  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.

To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the CoinFLEX program, please reach out to [email protected]

Focus Areas
We are currently accepting bounty bug reports for the following sites:
 
  • coinflex.com/* (this excludes subdomains)
  • notes.finance/*
 
E.G. coinflex.com, notes.finance, coinflex.com/bugbountyprogram etc would be valid while trading.coinflex.com is excluded.
 
If you find a bug remember to report it rather than testing on live. If you test on live then this breaches our policy and you will not receive any reward.

We encourage researchers to focus their efforts in the following areas:

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Brute force
  • SQL Injection (SQLi)
  • Insecure storage
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution
  • Business Logic
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
  • Mobile-specific API vulnerabilities
Excluded Submission Types

Vulnerability reports which do not include careful manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors or best practices without proof of exploitability – will be closed as Not Applicable.

The CoinFLEX Bug Bounty program excludes certain vulnerability classes as below:

  • Cookie expiration

  • Cookie migration/sharing

  • Forgot password autologin

  • Autologin token reuse

  • Static content over HTTP

  • Vulnerabilities related to offline playback.

  • Free trials

  • Same Site Scripting

  • Physical Testing

  • Social Engineering

    • For example, attempts to steal cookies, fake login pages to collect credentials

  • Phishing

  • Resource Exhaustion attacks

  • Denial of service attacks (DDoS)

  • Issues related to rate limiting

  • Login or Forgot Password page brute force and account lockout not enforced

  • Services listening on port 80

  • Internal IP address disclosure

  • Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability

  • Weak password policies

  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:

    • Issues that have had a patch available from the vendor for at least 6 months

    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)

    • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
  • Reports relating to root certificates

  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

  • Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore

  • Vulnerability reports relating to sites or network devices not owned by CoinFLEX

  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Your Report
Please note your report should contain the following at minimum to be considered:
  1. URLs affected
  2. Description
  3. Impact
  4. Proof of concept ( with screenshots or video if applicable)
  5. Mitigation/recommended fix
Rewards

The rewards are granted on a case by case basis depending on the threat level and report’s quality. Rewards will be paid in BTC.

Critical: 10000+ USDT equivalent
Severe: 1000 USDT equivalent
Moderate: 250 USDT equivalent
Low: 50 USDT equivalent

Once your submission is accepted, we will ask you to provide either of the following to receive your reward:

Email address registered on CoinFLEX
Your wallet address

Payments are made every Monday at 3pm UTC. If you have not received payment or a response then please get in touch again.

CoinFLEX Bug Bounty Program

At CoinFLEX, security is of the utmost importance to us and our users. Hence, we wish to present to you the CoinFLEX Bug Bounty Program. The aim of this program is to more effectively engage with our community and supporters in reporting any bugs and vulnerabilities.

Responsible Disclosure Policy

CoinFLEX aims to keep its services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our services, we appreciate your help in disclosing it to us in a responsible manner.

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to CoinFLEX.

Bounty Program Rules

Contact email: [email protected]

Please provide detailed reports with reproducible steps.

If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

We have a testnet (Stage) environment at https://coinflex.com. If you believe a reproduction could potentially harm service of the platform, please do a reproduction on Stage.

Requirements

We require that researchers:

  • Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

  • Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

  • Perform research only within the scope.

  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

  • Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

  • If you fulfill these requirements, CoinFLEX will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)

  • Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.

  • Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.

To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the CoinFLEX program, please reach out to [email protected]

Focus Areas

We are currently accepting bounty bug reports for the following sites:
 
  • coinflex.com/* (this excludes subdomains)
  • notes.finance/*
 
E.G. coinflex.com, notes.finance, coinflex.com/bugbountyprogram etc would be valid while trading.coinflex.com is excluded.
 
If you find a bug remember to report it rather than testing on live. If you test on live then this breaches our policy and you will not receive any reward.

We encourage researchers to focus their efforts in the following areas:

  • Cross Site Scripting (XSS)

  • Cross-Site Request Forgery (CSRF)

  • Brute force

  • SQL Injection (SQLi)

  • Insecure storage

  • Authentication related issues

  • Authorization related issues

  • Data Exposure

  • Redirection attacks

  • Remote Code Execution

  • Business Logic

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

  • Mobile-specific API vulnerabilities

Excluded Submission Types

Vulnerability reports which do not include careful manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors or best practices without proof of exploitability – will be closed as Not Applicable.

The CoinFLEX Bug Bounty program excludes certain vulnerability classes as below:

  • Cookie expiration

  • Cookie migration/sharing

  • Forgot password autologin

  • Autologin token reuse

  • Static content over HTTP

  • Vulnerabilities related to offline playback.

  • Free trials

  • Same Site Scripting

  • Physical Testing

  • Social Engineering

    • For example, attempts to steal cookies, fake login pages to collect credentials

  • Phishing

  • Resource Exhaustion attacks

  • Denial of service attacks (DDoS)

  • Issues related to rate limiting

  • Login or Forgot Password page brute force and account lockout not enforced

  • Services listening on port 80

  • Internal IP address disclosure

  • Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability

  • Weak password policies

  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:

    • Issues that have had a patch available from the vendor for at least 6 months

    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)

    • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)

  • Reports relating to root certificates

  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks

  • Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore

  • Vulnerability reports relating to sites or network devices not owned by CoinFLEX

  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Your Report

Please note your report should contain the following at minimum to be considered:
  1. URLs affected
  2. Description
  3. Impact
  4. Proof of concept ( with screenshots or video if applicable)
  5. Mitigation/recommended fix

Rewards

The rewards are granted on a case by case basis depending on the threat level and report’s quality. Rewards will be paid in BTC.

Critical: 10000+ USDT equivalent
Severe: 1000 USDT equivalent
Moderate: 250 USDT equivalent
Low: 50 USDT equivalent

Once your submission is accepted, we will ask you to provide either of the following to receive your reward:

Email address registered on CoinFLEX
Your wallet address

Payments are made every Monday at 3pm UTC. If you have not received payment or a response then please get in touch again.