Bug Bounty Program
About the Program
XREX is a blockchain-enabled financial institution that works with banks, regulatory bodies, and users to redefine the banking industry. We provide enterprise-grade banking services to small and medium-sized businesses (SMBs) in emerging markets or dealing with emerging markets, as well as beginner-friendly financial services to individuals worldwide.
We are committed to providing secure and stable software and services to our customers. We firmly believe that transparency and collaboration are key to maintaining security. To continuously improve the security of our products, we collaborate with security researchers worldwide to collectively identify and address potential security vulnerabilities. Through this program, we encourage researchers to report any vulnerabilities they discover to help us enhance our products and services.
If you are a security researcher or an expert with relevant expertise in information security, we welcome your participation in our Bug Bounty program. You can assist us in improving the security of our products by discovering and reporting potential vulnerabilities. We highly value your contributions and will provide appropriate rewards.
However, as the act of seeking security vulnerabilities can potentially constitute a crime, we kindly ask you to adhere to the following rules:
Vulnerability Handling
The XREX Product Security Incident Response Team (PSIRT) responds to reported security vulnerabilities in XREX products. Working with members of the security community and customers, the PSIRT works to best ensure that security vulnerabilities affecting XREX products are documented and solutions are released in a responsible fashion. XREX is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue and we’ll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Reporting a Potential Security Vulnerability
When reporting a potential vulnerability please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:
- Product name and version that contains the vulnerability
- Environment or system information under which the issue was reproduced (e.g. product version number, OS version etc.)
- Type and/or class of vulnerability (XSS, buffer overflow, RCE, etc.)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability
Scope
The following cases are in scope of PSIRT:
| In Scope | |
| Web: Domain | exchange.xrex.io |
| *.xrex.exchange | |
| iOS: Apple Store | XREX Apple Store |
| Android: Google Pay | XREX Google Pay |
a. Qualifying Bugs
Any bugs that we consider important.
- SQL injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Authentication Flaws
- Remote Code Execution
- Privilege Escalation
- Code Injection
b. Non-qualifying Bugs
Typically, the following types of bugs are not eligible for a bounty:
- Security vulnerabilities on sites hosted by third parties (e.g. xxxxx.desk.com) unless they lead to a vulnerability on an XREX-hosted site
- Security vulnerabilities in third-party applications which use the XREX API
- Denial of service (DoS)
- Spamming
- Social Engineering
- Bugs affecting outdated or unpatched browsers
Note: We encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.
Reward
We will regularly review the bounty amounts to provide and acknowledge the contributions of security researchers who have contributed to us.
Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of XREX, quality, creativity, or novelty of submissions may modify payouts within a given range.
In case of multiple reports about the same issue, XREX will reward the earliest submission, regardless of how the issue was reported.
CVSS standards will be used for vulnerability rating(CVSS3.1).
| Min/Max | Critical (CVSS 9.0 – 10.0) | High (CVSS 7.0 – 8.9) | Medium (CVSS 4.0 – 6.9) | Low (CVSS 0.0 – 3.9) |
| Minimum | $1,000 | $500 | $200 | $100 |
| Maximum | $3,000 | $1,000 | $500 | $200 |
Vulnerability Severity Levels Explanation
| Severity | Description |
| Critical | Critical risks refer to vulnerabilities with the highest level of threat, potentially resulting in complete system failure, massive data breaches, unauthorized access or control, and significant consequences such as loss of user funds. Such vulnerabilities usually have a severe impact on the operation of an exchange and the security of user funds. |
| High | High-risk vulnerabilities indicate issues that are serious but may not have fatal consequences. They may lead to data leaks, theft of user identity information, limitations on certain functionalities or systems, and could potentially affect the security of user funds to some extent. However, these vulnerabilities are more localized and controllable. |
| Medium | Medium-risk refers to potential vulnerabilities with relatively lower threat levels. These vulnerabilities may cause certain functionalities to fail, interface issues, or non-critical information leaks. However, they generally do not have a significant impact on the system’s security and the security of user funds. |
| Low | Low-risk vulnerabilities refer to those with minor impact and lower threat levels. These vulnerabilities typically only affect system details or user experience slightly and do not pose significant risks to security or the security of user funds. |
Report Content
Critical and medium issues should be written as a bug report on Google Docs and create a issues with your Google Docs link.
Generally, you’ll need to explain where the bug is, who it affects, how to reproduce it, the parameters it affects, and provide Proof-of-Concept supporting information.
Here’s what the report should contain, at a minimum:
- Vulnerability title: This will be the title of your report, and should describe the type of bug found, where it was found, and the overall impact. For example, “Remote File Inclusion in Resume Upload Form allows remote code execution” is much more descriptive and helpful than “RFI Injection found.”
- Affected component: The component field identifies the specific target affected by the bug you have found.
- Vulnerability type: SQLi, XSS, buffer overflow, RCE, etc.
- Vulnerable path: The bug URL identifies the location in the application where you discovered the bug.
- Severity: Critical / Medium / Low
- Description: Your report must include clear and descriptive replication steps so that the organization can easily reproduce and validate your findings.
- Steps to reproduce: Step-by-step instructions to reproduce the vulnerability.
- Remediation: Suggest some remediations.
How to Report to Us
When contacting us, please provide the actual domain where you discovered the vulnerability. Additionally, please provide as much detailed information as possible about the vulnerability reproduction to expedite our analysis and reward issuance.
To report security vulnerabilities affecting the XREX product, please use the XREX Bug Bounty form. Please provide as much information as possible, including the affected product name and version, a detailed description of the vulnerability, and any information about known exploits.
Please note that we will store and process your data during the analysis process. If you wish for your report to be handled anonymously, please indicate so in your form. However, please be aware that in such cases, we will be unable to provide any rewards for your efforts.