About
BitoPro is developed by the BitoEX team, who started BitoEX in 2014. The platform provides cryptocurrency solutions such as digital wallet, business application, financial auditing and more.
BitoEX team is committed to be the leader of the digital currency industry, as BitoEX offers customers comprehensive services in excellent quality and unique branding. BitoEX is also expected to make the process of entering digital currency easy for everyone.
With the increasing market demand, in 2017 BitoEX team started to plan and developed BitoPro, a cryptocurrency exchange platform. We are looking forward to satisfying our customers by providing fast and economical trading services.
Policy
This bounty brief describes the rules of the BitoPro bug bounty program, as well as the eligibility of vulnerabilities and the rewards.
Scope
Target |
Type |
Website |
|
api.bitopro.com |
API |
BitoPro Mobile Application for Android |
Android |
BitoPro Mobile Application for iOS |
iOS |
Rewards/Ratings
Risk Level and Proposed Reward (USD)
Critical |
High |
Medium |
Low |
$2,000 |
$500 |
$150 |
$50 |
Risk Level
Vulnerabilities are classified in four levels depending on possible dangers, namely serious, high, medium, and low. BitoPro will evaluate the severity of a reported vulnerability with the following criteria:
- Critical Vulnerability
Serious vulnerabilities refer to those occurring in the core system business system (i.e. core control system, domain control, business distribution system, and fortress machine, which can manage a large number of systems) that can cause a large-scale impact, obtain a large number of (depending on the actual situation) business system authorities, access to the administrator rights and control the core system. - Manipulation of multiple machines in the Intranet
- Capture of core backend super administrator rights, which may cause major impacts, such as large-scale leakage of core business data.
- High-risk Vulnerability
- Capture of system permission (getshell, command execution, etc)
- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)
- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet
- Random file access
- XXE loophole that can capture random information
- Unauthorized operation with fund, bypassing payment logic (successfully exploited)
- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting
- Other vulnerabilities that can cause large-scale impact to users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information
- Substantial leakage of source codes
- Medium-risk Vulnerability
- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.
- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.
- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval
- Leakage of locally-stored sensitive encryption data (with effective use)
- Low-risk Vulnerability
- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access
- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.
- Reflected XSS (including DOM XSS / Flash XSS)
- Normal CSRF
- URL redirection vulnerabilities
- SMS bomb
- Other low-risk vulnerabilities without proof of harm, such as CORS loopholes that cannot obtain sensitive information
- SSRF with no echo nor successful use
- Vulnerabilities Not Accepted Currently
- SPF email forgery vulnerabilities
- Vulnerabilities of exhaustive blasting registered user name classes with API
- Self-XSS / POST reflected XSS
- Email bomb
- CSRF issues with non-sensitive operations
- Other low-risk vulnerabilities
Rewards will be paid out in LTC (Litecoin).
Once your submission is accepted, please provide either of the following to receive your reward.
- your LTC wallet address
*Prices will change with the cryptocurrency markets and the dollar amount listed below may, therefore, change.
Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.
*BitoPro is eager to work with the community to make sure that every researcher's finding is rewarded fairly - basing on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $10,000 USD.
Responsible Disclosure
Responsible disclosure includes:
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Ensuring that efforts will be done in good faith, so that it will not leak or destroy any BitoPro’s user data.
- Not defrauding BitoPro’s users or BitoPro itself in the process of discovering these vulnerabilities.
To promote a responsible disclosure, the BitoPro team promises not to bring any legal action against researchers who point out a problem, providing that the researchers do their best to follow the guidelines stated above.
Service-Level Agreement
The BitoPro team will make their best effort to meet the following requirements of the SLA for hackers participating in the program:
- First response in 5 business working days from the time the report was submitted. Report to security@bitopro.com.
- Triage issue in 15 business days from the time the report was submitted.
- Bounty in 10 business days from the time the triage took place.
We’ll try to keep you informed about our progress throughout the process.