Bug Bounty
| Issue severity
|
Bonus GBX
|
|---|---|
| Non existent (info provided is false and does not correspond to actual situation or not applicable to us or likely impossible to exploit)
|
0 GBX
|
| Minor
|
1000 GBX
|
| Significant
|
10 000 GBX
|
| Major
|
100 000 GBX
|
Targets in scope
| Target name
|
Type
|
|---|---|
| globitex.com
|
Website
|
| paynexpay.com
|
Website
|
| api.globitex.com
|
API
|
Eligibility
Generally, any bug that poses a significant vulnerability, either to the security of our site or the integrity of our trading system, could be eligible for bonus.
Examples of security issues that typically would be eligible:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Injection
- Remote Code Execution
- Privilege Escalation
- Authentication Bypass
- Leakage of Sensitive Data
Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for bonus.
Ineligibility
Examples of issues that are not eligible for bonus:
- Theoretical vulnerabilities without actual proof of concept
- Vulnerabilities on sites hosted by third parties
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers
- Vulnerabilities in third party applications that make use of Globitex API
- Lack of security flags in cookies
- Content spoofing
- Cache-control related issues
- Exposure of internal IP addreses or domains
- Missing security headers that do not lead to direct exploitation
- Plain submission of results obtained by auto scanners
- Vulnerabilities that require physical access to a user's device
- Assets that do not belong to Globitex
- Issues already known to us or already reported by someone else (reward goes to first reporter)
Investigation and Reporting
- Avoid testing on accounts other than those that you own
- Avoid using automated testing scanners
- Avoid excessive request attempts
- Don't violate the privacy of other users, destroy data, disrupt our services, etc
- Initially report the bug only to us and not to anyone else
Caught a bug?
- Send your report to [email protected]
- Please allow 2 business days for us to respond