跳至主內容

搜尋

幫助中心

Bug Bounty Program

  • 更新於:

Introduction

BitoPro is developed by the BitoEX team, who started paving the way for cryptocurrency in 2014. Today, we have integrated BitoEX into BitoPro, creating a unified service from digital wallets to professional trading. We successfully completed the Taiwan Financial Supervisory ’s (FSC) "Anti-Money Laundering Registration of Enterprises or Persons Providing Virtual Asset Services" (the new regime), becoming one of the first virtual asset service providers in Taiwan to pass the AML registration as a lawful operator.

At BitoPro, our users' security and privacy are our top priorities. We are committed to maintaining a secure trading environment and protecting user assets. To achieve this, we encourage independent security researchers to identify and report vulnerabilities through our Bug Bounty Program.

 

Policy

This bounty brief describes the rules of the BitoPro bug bounty program, as well as the eligibility of vulnerabilities and the rewards.

 

Scope

Target 

Type    

www.bitopro.com

Website    

api.bitopro.com    

API    

BitoPro Mobile Application for Android    

Android    

BitoPro Mobile Application for iOS    

iOS    

 

Rewards/Ratings

Risk Level and Proposed Reward (USDT)

  

  Critical     High     Medium     Low  
  $2,000      $500      $150     $50  

 

Risk Level

Vulnerabilities are classified in four levels depending on possible dangers, namely serious, high, medium, and low. BitoPro will evaluate the severity of a reported vulnerability with the following criteria:

  • Critical Vulnerability
    Serious vulnerabilities refer to those occurring in the core system business system (i.e. core control system, domain control, business distribution system, and fortress machine, which can manage a large number of systems) that can cause a large-scale impact, obtain a large number of (depending on the actual situation) business system authorities, access to the administrator rights and control the core system.
    • Manipulation of multiple machines in the Intranet
    • Capture of core backend super administrator rights, which may cause major impacts, such as large-scale leakage of core business data.
  • High-risk Vulnerability
    • Capture of system permission (getshell, command execution, etc)
    • SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)
    • Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet
    • Random file access
    • XXE loophole that can capture random information
    • Unauthorized operation with fund, bypassing payment logic (successfully exploited)
    • Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting
    • Other vulnerabilities that can cause large-scale impact to users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information
    • Substantial leakage of source codes
  • Medium-risk Vulnerability
    • Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.
    • Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.
    • Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval
    • Leakage of locally-stored sensitive encryption data (with effective use)
  • Low-risk Vulnerability
    • Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access
    • General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.
    • Reflected XSS (including DOM XSS / Flash XSS)
    • Normal CSRF
    • URL redirection vulnerabilities
    • SMS bomb
    • Other low-risk vulnerabilities without proof of harm, such as CORS loopholes that cannot obtain sensitive information
    • SSRF with no echo nor successful use
  • Vulnerabilities Not Accepted Currently
    • SPF email forgery vulnerabilities
    • Vulnerabilities of exhaustive blasting registered user name classes with API
    • Self-XSS / POST reflected XSS
    • Email bomb
    • CSRF issues with non-sensitive operations
    • Other low-risk vulnerabilities

 

Rewards will be paid out in USDT.

Once your submission is accepted, please provide the following to receive your reward:

  • your USDT wallet address

*Please note that the supported USDT mainnet types are TRC20, ERC20, BEP20, and POLYGON only.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

*BitoPro is eager to work with the community to make sure that every researcher's finding is rewarded fairly - basing on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $10,000 USDT.

 

Responsible Disclosure

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Ensuring that efforts will be done in good faith, so that it will not leak or destroy any BitoPro’s user data.
  • Not defrauding BitoPro’s users or BitoPro itself in the process of discovering these vulnerabilities.

To promote a responsible disclosure, the BitoPro team promises not to bring any legal action against researchers who point out a problem, providing that the researchers do their best to follow the guidelines stated above.

 

Reporting Process

To ensure your submission is processed efficiently, please follow these steps:

  • Preparation: Document your findings with a clear description, potential impact, and a Proof of Concept (PoC) (e.g., screenshots, videos, or scripts).
  • Submission: Send your report directly to 📩 security@bitopro.com
  • Communication: Please use a consistent email thread for follow-up questions to avoid delays.

 

Service-Level Agreement

The BitoPro team will make their best effort to meet the following requirements of the SLA  for hackers participating in the program:

  • First response in 5 business working days from the time the report was submitted.
  • Triage issue in 15 business days from the time the report was submitted.
  • Bounty in 10 business days from the time the triage took place.

 

We’ll try to keep you informed about our progress throughout the process.