DragonEx is committed to provide the most secure platform for users. We are well aware of the important role of external security researchers and developers play in maintaining the security of the community. On November 28, 2019, we hereby release the DragonEx BUG Bounty Program. DragonEx welcomes to submit the BUG report to this email: service@dragonex.io.
Bounty system:
Vulnerability level Recommended reward:
High risk: 100–500 DT
Medium risk: 30–100 DT
Low risk: 10–30 DT
Extra 50% bonus for the second report eligible for reward (At least Medium risk)
Extra 75% bonus for the third report eligible for reward (At least Medium risk)
Extra 100% bonus for fourth or more reports eligible for reward (At least Medium risk)
Vulnerability level description
Vulnerability levels are classified into three levels: [high-risk], [medium-risk], and [low-risk].
Vulnerability Rating Taxonomy is as follow:
【High Risk】
The base score is 60–100. High-risk included but not limited to:
1. Permissions to directly obtain system permissions (server permissions, client permissions), included but not limited to remote command execution, arbitrary code execution, upload to obtain Webshel, SQL injection to obtain system permissions and other vulnerabilities.
2. Directly leading to denial-of-service breakthroughs in important services, included but not limited to directly leading to API service denial of service, website application denial of service, and other remote denial of service vulnerabilities that have severe impacts
3. Important sensitive information leakage, including but not limited to SQL injection vulnerabilities in important business databases, can obtain sensitive information interference caused by interface problems such as large amounts of core business data.
4. Severe logical design flaws and process flaws, included but not limited to batch modification of arbitrary account password cracking, logical breakthroughs involving core business, etc.
5. Unauthorized access to sensitive information, including but not limited to bypassing authentication and directly accessing the management background, weak passwords in important background, and server-side request forgery (SSRF) intrusions that obtain a large amount of sensitive information on the intranet.
6. Sensitive operations of enterprise’s important business beyond authority, including but not limited to account overriding authority to modify important information, modification of important business configuration, etc.
7. Other intrusions affecting users on a large scale, including but not limited to breakthroughs in stored cross-site scripting attacks (including stored DOM-XSS) that can cause important pages to be automatically propagated.
【Medium Risk】
The base score is 30–50, and the medium-risk included but not limited to:
1. Vulnerabilities that affect users by interaction parties, including but not limited to cross-site scripting vulnerabilities in storage types for general pages, cross-site request forgery (CSRF) intrusions involving core business, etc.
2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information, perform user operations, etc.
3. Common logic design flaws and process flaws, including but not limited to unlimited SMS sending, registration of any mobile email address, etc.
【Low Risk 】
The base score is 10–20, and the reward coefficient can be 0. low risk included but not limited to
- Local Denial of Service Vulnerabilities, including but not limited to client local denial of service (parsing file formats, crashes caused by network protocols), and issues caused by Android component permissions exposure, common application permissions, etc.
2. General information leakage, including but not limited to client-side plaintext storage passwords, web path traversal, system path traversal intrusion, etc.
3. Other vulnerabilities with minimal harm, included but not limited to reflective cross-site scripting vulnerabilities (including reflective DOM-XSS), common cross-site request forgery (CSRF), URL extension vulnerabilities, etc.
Supplementary note:
1. DragonEx only rewards first bug finder who submitted and get verified. Similar reports will not receive rewards, but DragonEx will reply to users to explain the situation;
2. In the process of vulnerability report processing, if the reporter has any objection to processing, vulnerability rating, vulnerability scoring, etc., they can contact us by email.
3. Reward distribution: Reward distribution will be issued within 1 week after the vulnerability report is verified, which can be viewed in DragonEx Account — Bills; Rewards will be issued in the form of DT, some special reports DragonEx will also provide additional rewards;
4. The right of final interpretation reserves by DragonEx;
DragonEx Team
November 28, 2019
