English
English

Bounty for cyber security

In Scope

TargetTypeSeverityReward
tokenize.exchange GoWebCriticalBounty
api2.tokenize.exchange GoWebCriticalBounty
Android App GoAndroidCriticalBounty
iOS App GoiOSCriticalBounty

Rewards

SeverityCritical
RewardSGD 1,500 worth of TKX
SeverityHigh
RewardSGD 800 worth of TKX

In Scope Vulnerabilities

We are interested in the following vulnerabilities:

Business logic issues
Remote code execution (RCE)
Database vulnerability, SQLi
File inclusions (Local & Remote)
Access Control Issues (IDOR, Privilege Escalation, etc)
Leakage of sensitive information
Server-Side Request Forgery (SSRF)
Other vulnerability with a clear potential loss

Out of Scope Vulnerabilities

Web
Mobile
  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues without clear impact
  • Denial of service
  • Theoretical issues
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. MX records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • Weak Captcha/Captcha Bypass
  • Lack of Secure and HTTPOnly cookie flags
  • Username/email enumeration via Login/Forgot Password Page error messages
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Mixed HTTP Content
  • HTTPS Mixed Content Scripts
  • DoS/DDoS issues

Program Rules

bounty rule
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerabilitywith the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not an authorized employee of this Company without appropriate permission

Range of Bounty

SGD 0.00 – SGD 1,500 worth of TKX