About
Coincall is a leading global cryptocurrency derivatives trading platform, dedicated to creating a trading ecosystem that is both simple to use and powerful in functionality. Through our innovative technology and user-friendly design, we make options and futures trading accessible not just to financial experts but to investors worldwide, unleashing the vast potential of the cryptocurrency market. With Coincall, we aim to enhance the financial freedom and trading efficiency of global users in the cryptocurrency derivatives market.
Policy
At Coincall, the security of our users' information and funds is our top priority. Therefore, we strive to provide the safest platform and create the most secure trading environment. We assess the security issues reported based on their impact on both our users and all business systems under Coincall.
This bounty policy outlines the rules of Coincall’s Vulnerability Bounty Program, including the eligibility and rewards for vulnerabilities.
Our rewards are based on the severity levels of CVSS (Common Vulnerability Scoring System). Please note that these are general guidelines, and the final rewards are determined by Coincall based on impact and exploitability. The minimum payout for reports of lower severity but potentially directly exploitable issues is $100. The maximum reward is $3,000, and we may offer higher amounts for vulnerabilities that are deemed severe or creative.
Severity | Reward Range |
Beispiele |
---|---|---|
Critical | $1,000 - $3,000 | Schwachstellen, die unbefugten Zugriff auf Benutzerfonds und sensible Informationen ermöglichen, was zu erheblichen finanziellen Verlusten führt oder den normalen Handel beeinträchtigt (realisierbar, nicht konzeptionell). |
High | $500 - $1,000 | SQL-Injection, Remote-Code-Ausführung, Befehlsausführung und Schwachstellen in der Transaktionsgeschäftslogik in den Kernbetriebsabläufen. |
Medium | $200 - $500 | SQL-Injection und Schwachstellen in der Transaktionsgeschäftslogik in allgemeinen Geschäftsabläufen. |
Low | $100 | Reflektierte XSS, Anfrageumleitung usw. |
Rewards can be paid in USDT or CALL.
Once your submission is accepted, to receive a reward, please provide one of the following:
- Your registered account information on Coincall (email)
- Your TRC20 wallet address
We recommend researchers to create a dedicated private Coincall account.
- CALL price will vary with the cryptocurrency market fluctuations.
Note:
1. For reporting vulnerabilities, please reach out to us at bug_bounty@coincall.com.
2. Please note that only those reports that provide valid proof and demonstrate how to exploit a specific vulnerability are eligible for a reward. Coincall reserves the right to make the final decision on which reports meet the reward criteria.
3. Coincall looks forward to collaborating with the community to ensure that each researcher's contribution is fairly rewarded. For security vulnerabilities that significantly impact our business, we will offer additional rewards.
Scope
- .coincall.com
- Coincall iOS app
- Coincall Android app
Note: Any domains/assets not listed are out of scope. If you believe a specific asset or activity not mentioned here should be in scope, please submit a report and briefly explain why you think it should be included.
Researchers should not attempt to move any funds. If proof of concept requires such an attempt, researchers must first contact Coincall and seek approval. Researchers who attempt to move funds without prior approval are not eligible for a bounty.
If an issue reported in one of our businesses/systems also affects other businesses/systems with the same cause, the issue will be considered as a single issue. Please do not report the same bug multiple times.
Some examples of vulnerabilities we are interested in:
- Vulnerabilities that could lead to remote loss of user funds/assets
- Core business application denial of service (excluding DDOS & CC)
- Remote code execution
- SQL injection
- SSRF
- Arbitrary file reading
- Geschäftslogik-Schwachstellen Probleme im Zusammenhang mit den besten
- ...
Ineligible issues (will be closed due to being out of scope):
- Theoretical vulnerabilities without practical proof of concept
- Issues not affecting security (e.g., inability to load a webpage)
- Assets not owned by Coincall
- Sicherheitspraktiken, die keine direkt ausnutzbaren Schwachstellen sind.
- Email validation flaws, password reset link expiration, and password complexity policies
- Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
- Low-risk clickjacking/UI modifications
- Email or user enumeration (e.g., identifying email registration through password reset)
- Low-risk information disclosures (e.g., stack traces, path disclosures, directory listings, logs)
- Internal known issues, duplicate issues, or issues already made public
- Tab-nabbing
- Self-XSS
- Vulnerabilities dependent on outdated browsers or platforms (e.g., XSS relying on Adobe Flash)
- Vulnerabilities related to auto-filling web forms without practical proof of concept
- Missing security flags in cookies
- Issues related to insecure SSL/TLS cipher suites or protocol versions
- Content spoofing
- Cache control related issues
- Exposure of internal IP addresses or domains
- Missing security headers that do not lead to direct exploitation
- CSRF on non-critical functions (e.g., login, logout, subscription to non-critical features)
- Vulnerabilities requiring root/jailbreak
- Vulnerabilities requiring physical access to user devices
- Behaviors affecting normal business operations (e.g., DoS/DDoS)
- Reports from automated tools or scans
- Links to invalid/expired pages
- Risks associated with Zendesk and other third-party platforms
- Spamming
- Social engineering
- Low-impact issues related to session management
Kommentare
0 Kommentare
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.