DDEX Bug Bounty Program

Published in

DDEX

5 min readJul 27, 2018

DDEX’s highest priority is to ensure a safe and reliable trading experience. To further enhance our platform’s security and overall robustness, we are introducing our “DDEX Bug Bounty Program”. This program encourages the responsible disclosure of potential security vulnerabilities.

We appreciate a close relationship with White Hat hackers from the security research community. If you’ve found a vulnerability or bug, we encourage you to notify us as described below!

If you’ve found a vulnerability, we encourage you to notify us through here and select “Security Vulnerability” as the ticket type. We welcome working with you to resolve the issue promptly. Please be succinct: the contact form is reviewed by security engineers — a short proof-of-concept link is more valuable than a video explaining the consequences of an XSS bug.

https://support.ddex.io/hc/en-us/requests/new

You can find more rules and details below.

Happy bug hunting!

Rewards

Low:Up to $100 USD equivalent rewards
Medium:Up to $1,000 USD equivalent rewards
High:Up to $2,500 USD equivalent rewards
Critical:Up to $10,000 USD equivalent rewards

Scope

API: https://docs.ddex.io/
DDEX: https://ddex.io/trade

Qualifying vulnerabilities:

Remote Code Execution in the API, Exchange Web Services
SQL Injection
User authentication bypass
Unauthorized cross-account Access or Data
Reflective or Stored XSS
URL Redirect, some CSRF depending on impact
Authenticated CSRF, depending on impact.
SSL/Cipher Issues with tangible security impact.

A good bug report should include the following information at a minimum:

List the URL and any affected parameters
Describe the perceived impact. How could the bug potentially be exploited?

Some examples of qualifying vulnerabilities:

* Cross-site scripting,
* Cross-site request forgery,
* Mixed-content scripts,
* Authentication or authorization flaws,
* Server-side code execution bugs.

Non-qualifying vulnerabilities:

Vulnerabilities that are strictly client-side or require physical or malicious access to the user’s device.
Logout CSRF.
Flaws affecting the users of out-of-date browsers and plugins.
Bugs requiring exceedingly unlikely user interaction.
Insecure cookie settings for non-sensitive cookies.
Vulnerabilities that are on third-party’s server, this includes but not limited to digital wallets and DAPP browsers (Metamask, Ledger, Trust, Toshi, Cipher, etc).

SLA

Time to first response (from report submit) — 2 business days
Time to triage (from report submit) — 5 business days
Time to bounty (from triage) — 15 business days

We’ll try to keep you informed about our progress throughout the process.

Rules

No physical attacks against DDEX employees, offices, or data centers.
No social engineering of DDEX employees or users (phishing).
No DDoS (SYN floods, Slowloris attacks, etc)
Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Disclosure Policy

If you are able to execute an attack against our systems or user data, we ask you to be a white hat player and make every effort NOT to leak data or compromise the integrity of our systems. Specifically, we would ask you that:
Do not publicly disclose a bug before it has been fixed.
Do not disclose publicly or to a third-party for purposes other than fixing the bug.
Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
All rights of interpretation of the Bug Bounty are reserved to DDEX. DDEX decides whether to reward a bug disclosure and how much will be rewarded. Any individual or team participant should not violate any laws and regulations during testing.
When in doubt, contact us at support@ddex.io.

FAQ

-How is the bounty reward determined?
Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.

-Who is eligible?
All international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United States will need to submit a guardian consent form before any payment can be made. Individuals under 13 years of age are not eligible to participate due to U.S. federal law.
When will I receive a response about the vulnerability I submitted?
Please allow up to 48 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep DDEX and our users safe!

New to DDEX?

DDEX is a decentralized relayer, or you may see it as a decentralized application, which functions as an exchange. Running as a hybrid model decentralized relayer for Ethereum and ERC-20 tokens, DDEX utilizes both the hydro protocol and the 0x protocol to facilitate a safe and smooth decentralized exchange experience.