# EXBIT Bug Bounty Scheme We are pleased to announce the launch of the EXBIT Bug Bounty (facility reward) programme, and we sincerely invite global security researchers and white hat hackers to participate in the exploration of loopholes and the building of a platform. If you have found any potential security loopholes during the test, submit the full leak to the official mailbox. After receiving the report, the security team will review and validate it and contact you once you have ascertained that the loophole is valid and will be rewarded accordingly. Gap submission mailbox (based on EXBIT official publication) Every safe contribution you make is important to the platform. ### I. Web Bug Bounty #### 1. Scope of testing This plan applies to the following systems: EXBIT official website EXBIT Web trade system EXBIT Account Management System #### Criteria for incentives for loopholes The amount of the incentive for the loophole will be determined on the basis of a comprehensive assessment of: Scope of the gap Difficulties in using loopholes Level of actual security risk The final amount of the incentive is based on the results of the EXBIT safety team assessment. ### II. Web Definition of lacuna #### 1. Serious loopholes Serious loopholes usually affect EXBIT core business systems or critical infrastructure, which may result in significant asset losses or system security risks. Possible results include: 1\. Unauthorized control of core business systems 2\. Access to system top management authority 3\. Full takeover of key business modules Examples include: 4\. Control of multiple critical equipment in the internal network 5\. Access to backend supermanager privileges, leading to the disclosure of core data 6\. Serious gaps in smart contracts, competitive conditions, etc. #### High-risk loopholes (High) High-risk loopholes can directly affect system security, user assets or the integrity of business logic. This includes, but is not limited to: 7\. System access (e.g. GetShell, execution of orders, etc.) 2, SQL Injecting Gaps 8\. Identification circumvention, weak password or SSR problem 9\. Any file reading or XXE access 10\. Unauthorized transactions, payments or operations of funds 11\. Serious business logic deficiencies (e.g., random user login, bulk password changes) 7 Large-scale impact storage XSS Large-scale source-code leakage 12\. Deficiencies in the control of smart contracting rights #### 3. Mid-Risk Gap (Medium) The risk loophole usually requires specific conditions or user interaction to trigger it, which may have some security impact. This includes, but is not limited to: 13\. Gaps requiring user interaction (e.g. storage XSS, CSRF) 2 Parallel delegation of authority deficiencies (by circumventing user data modification restrictions) 14\. Denial of service attacks (DoS) 15\. Logic defects in the certification code lead to violent breakdown 16\. Discharge of sensitive authentication keys due to local or configuration problems #### 4 Low risk loophole (Low) Low-risk loopholes have less impact or are difficult to prove directly that they have serious security consequences. This includes, but is not limited to: 1 Local DoS (customer crash) General information leaks (routing, directory browsing) 3, DOM / Reflection XSS 17\. General CSRF 18\. URL Redirected Hole 6 SMS / mail bombing (same problem only once per system) 19\. Other loopholes that do not directly demonstrate security impacts ### III. Types of loopholes not accepted The following questions are not included in the EXBIT Bug Bounty scheme: 20\. Email forgery 21\. User count 3, Self-XSS / HTML Injection 22\. Lack of CSP/ SRI security strategies 23\. Non-sensitive CSRFs 6, Android application configuration issues (e.g., android: anlowBackup=\\\34; True\\\34; 24\. Issues affecting performance only (e.g., photo scaling leading to slow requests) 8 Third-party component version exposure (e. g. Nginx version) 25\. Functional deficiencies without security implications 26\. Social works attacks against EXBIT employees ### IV. Definition of the hierarchy of smart contracting gaps #### 1. Serious loopholes Manipulating governance or voting results Direct theft of user funds (excluding unclaimed proceeds) Permanent freezing of user funds Miners can extract value (MEV) The agreement is not fully funded. #### High-risk loopholes (High) Stolen or frozen unclaimed revenues / royalties Temporary freezing of user funds #### 3. Mid-Risk Gap (Medium) The contract is not functioning properly because of a lack of tokens. Use block congestion for profit. Disruptive behaviour without direct profit motive Steal Gas or limitless consumption Gas #### 4 Low risk loophole (Low) Not causing direct financial losses but affecting contractual commitments Information-related issues (e.g., prophecies, governance attacks, liquidity risks, Sybil attacks, etc.) Best practices and security enhancements ### Prohibition of conduct In order to ensure the safety of the platform and its users, the following are strictly prohibited during the testing process: Social engineering or fishing attacks Details of gaps in disclosure, dissemination or sale Perform destructive testing (PoC validation only) Mass scanning using unauthorized scanners Modifying web content, bombing windows or stealing Cookie Use high intrusive or destructive Payload If any unintended effects occur during the testing, please report immediately to the EX official. Violations of the above-mentioned rules may lead to the elimination of incentives and even to corresponding legal liability. ### Concluding remarks Thank you for your contribution to the security of the platform. We look forward to working with global security researchers to build a safer, transparent and trusted digital asset ecosystem. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://exbit-1.gitbook.io/exbit-docs/help-center/ying-wen/exbit-help-center/services/exbit-bug-bounty-scheme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.