How to Report Vulnerabilities
Reward System
Our bug-bounty program offers four security risk tiers, namely low risk, medium risk, high risk, and very high risk, as well as three asset tiers determined by an asset's level of importance. A white hat will be rewarded with up to 3,000 USDT. to incentivize white-hats to help us discover possible vulnerabilities. With this system, we hope to build a more stable and reliable trading environment for all users.
| Type/USDT Bonus | Very High Risk Security vulnerabilities | Medium Risk Security vulnerabilities | Low Risk Security vulnerabilities | Report bugs | Language or grammatical errors |
| P1 | - | - | - | - | - |
| P2 | 150-300 | 75-150 | 15-60 | 7.5-15 | 1.5-7.5 |
| P3 | 300-800 | 150-300 | 60-150 | 15-75 | 8-15 |
| P4 | 800-1,500 | 400-800 | 150-300 | 75-150 | - |
| P5 | 1,500-3,000 | 800-1,500 | 300-600 | - | - |
Risk Level
Vulnerabilities are classified in four levels depending on possible dangers, namely serious, high, medium, and low. Okcoin will evaluate the severity of a reported vulnerability with the following criteria:
[P5 Vulnerability]
Serious vulnerabilities refer to those occurring in the core system business system (i.e. core control system, domain control, business distribution system, and fortress machine, which can manage a large number of systems) that can cause a large-scale impact, obtain a large number of (depending on the actual situation) business system authorities, access to the administrator rights and control the core system.
- Manipulation of multiple machines in the Intranet
- Capture of core backend super administrator rights, which may cause major impacts, such as large-scale leakage of core business data.
[P4 Vulnerability]
- Capture of system permission (getshell, command execution, etc)
- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)
- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet
- Random file access
- XXE loophole that can capture random information
- Unauthorized operation with fund, bypassing payment logic (successfully exploited)
- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting
- Other vulnerabilities that can cause large-scale impact to users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information
- Substantial leakage of source codes
- Service down due to application or system upgrades, with significant and wide-ranging impact
[P3 Vulnerability]
- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.
- Unauthorized operations, including but not limited to bypassing authentication to modify users' information and modifying users' configurations.
- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval
- Leakage of locally-stored sensitive encryption data (with effective use)
- Identity verification interrupted, such as when verifying 2FA
- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history
- Obvious errors in descriptive content resulting in misguidance
[P2 Vulnerability]
- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access
- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.
- Reflected XSS (including DOM XSS / Flash XSS)
- Normal CSRF
- URL redirection vulnerabilities
- SMS bomb
- Other low-risk vulnerabilities without proof of harm, such as CORS loopholes that cannot obtain sensitive information
- SSRF with no echo nor successful use
- When a function or button is unresponsive or fails, and interrupts the expected product flow
- Inaccurate or ambiguous expressions or use of language in emails or within the product flow
[P1 Vulnerability]
- SPF email forgery vulnerabilities
- Vulnerabilities of exhaustive blasting registered user name classes with API
- Self-XSS / POST reflected XSS
- Email bomb
- CSRF issues with non-sensitive operations
- Other low-risk vulnerabilities
- For the reports of the identical issue found in different APIs, only the first report will be accepted.
- Reported bugs that are caused by network issues or hardware errors
- Spelling or grammatical errors in language use
Vulnerability Submission Template
- Vulnerability request pack or URL (text, no screen caps) or operation steps (e.g. Settings -> Personal Information -> Image uploading issue)
- Loophole payload
- Proof of Vulnerability Risk (rate is given according to risk level).
General Rules of Rating
- Multiple loopholes created from the same source are counted as one vulnerability.
- For example, multiple security flaws caused by the same API, multiple webpage loopholes caused by the same publishing system, security vulnerabilities of the entire site caused by the framework, multiple security loopholes caused by pan-domain name resolution, multiple CSRF vulnerabilities caused by multiple APIs overridden in the same system due to failed authentication or token verification, wrong allocation of parameters, documents, and directories, etc.
- Reward for a vulnerability report will be given only to the first reporting person.
- Regarding the same vulnerability, if a late reporting person can demonstrate a much larger impact than that done by the first person, both of their reports will be accepted. The first person will share a part of the reward given to the late person.
- Details of any vulnerability must not be disclosed, except for those already released on the internet.
- Taking advantage of vulnerability testing to harm our users' interest, business operations, and data security will not be tolerated. Okcoin will take legal action against such behaviors.
- For any unclear report, Okcoin will contact the reporting person to request details, such as URL of the loophole, detailed description in text, as well as screencaps.
- Reporting SQL injection requires proof of code injection. A mere error report will not be proceeded.
- Weak password issues (except for externally registrable systems):
- Weak passwords in the same system found by the same person will be merged and treated as one report. (If the vendor has resolved the previous weak password, the subsequent reports will be downrated and merged.)
- For the default initial password, it will be proceeded as one vulnerability. (For example, if the initial passwords of mailboxes are the same, it will be considered as one vulnerability.)
- For non-key systems, only the first weak password will be processed. other weak passwords submitted subsequently will be skipped as appropriate.
- For key system or core businesses, only the first two weak passwords will be rated, and the subsequent weak password issue is degraded or ignored as appropriate.
- For vulnerabilities in marginal/abandoned business systems, the risk rating may be downrated as appropriate.
- For multiple vulnerabilities that entail contextual relationships, such as accessing the backend with a weak password to carry out SQL injection, one can merge them in one report to increase the overall risk rating. Please do not split the vulnerabilities in multiple reports. Users who performs malicious behaviors, such as splitting or exploiting vulnerabilities, will be penalized with account freeze or even termination.
- Vulnerabilities of information leakage, such as information leakage on Github, authorized access to Memcache and Redis, will be rated depending on the effectiveness and sensitivity of information. Leakage of low-harm information, such as paths and phpinfo data, will not be handled.
- For vulnerabilities caused by using lower versions of CMS, only the first security issue submitted will be accepted for each vulnerability type.
- Do not perform tests on vulnerabilities that may cause business interruption, such as IIS denial of service and slow_http_dos vulnerability tests.
- Reports of frontend enumeration and blasting loopholes require evidence of successful cases. For backend blasting loopholes, only reports of successful cases will be accepted. Vulnerability reports of successful blasting but failing to enter the backend will be rejected.
- In case a person submits two vulnerabilities found on PC end and app end with the same API and code (even if with different domains), we will merge the two reports as one. We would consider raising the reward to the person who reports a merged case of this kind. If the vulnerabilities are reported by two different persons, they would be counted as repeated reports.
- Information leakage-related vulnerabilities (including Github, please indicate in the report why you think they are related to Okcoin) that could cause considerable harm would be classified as serious or high risk. Information leakage of online core application service configuration and codes are generally of medium risk. Those which cannot be effectively utilized and are related to non-core businesses are deemed as low risk.
Reward Distribution
Once a vulnerability is confirmed, our customer support will follow up with the reporting person for details. After the vulnerability is corrected, the reward will be distributed to the reporting person's Okcoin account in 1 – 2 working days.
Dispute Resolution
If you have any opinion on the reporting process, risk levels, and risk rating, please contact our customer support for immediate communication.