Bug Bounty

Issue severity
Bonus GBX
Non existent (info provided is false and does not correspond to actual situation or not applicable to us or likely impossible to exploit)
0 GBX
Minor
1000 GBX
Significant
10 000 GBX
Major
100 000 GBX


Targets in scope

Target name
Type
globitex.com
Website
paynexpay.com
Website
api.globitex.com
API


Eligibility

Generally, any bug that poses a significant vulnerability, either to the security of our site or the integrity of our trading system, could be eligible for bonus.

Examples of security issues that typically would be eligible:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Injection
  • Remote Code Execution
  • Privilege Escalation
  • Authentication Bypass
  • Leakage of Sensitive Data

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for bonus.


Ineligibility

Examples of issues that are not eligible for bonus:

  • Theoretical vulnerabilities without actual proof of concept
  • Vulnerabilities on sites hosted by third parties
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers
  • Vulnerabilities in third party applications that make use of Globitex API
  • Lack of security flags in cookies
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP addreses or domains
  • Missing security headers that do not lead to direct exploitation
  • Plain submission of results obtained by auto scanners
  • Vulnerabilities that require physical access to a user's device
  • Assets that do not belong to Globitex
  • Issues already known to us or already reported by someone else (reward goes to first reporter)


Investigation and Reporting

  • Avoid testing on accounts other than those that you own
  • Avoid using automated testing scanners
  • Avoid excessive request attempts
  • Don't violate the privacy of other users, destroy data, disrupt our services, etc
  • Initially report the bug only to us and not to anyone else


Caught a bug?


We use cookies to improve your experience and analyse site's usage. By using our site, you consent to cookies.